A security vulnerability has resided
within Android since v1.6 "Donut."
Yikes!
Bluebox Security research team
Bluebox Labs has discovered a
security vulnerability
that has quietly resided in Google's
Android platform since the release of
1.6 "Donut."
Company CTO Jeff Forristal said in a
recent blog that this newly-discovered
vulnerability allows a hacker to
modify APK code without breaking an
application's cryptographic signature.
That means any legitimate app, even
Android system apps, can be turned
into malware without Google Play, the
device and the end-user being made
aware of the change.
All Android apps contain cryptographic
signatures which the platform uses to
determine if the app is legitimate, and
to determine if the app has been
tampered with or modified. But there
are discrepancies on how these apps
are cryptographically verified and
installed, which in turn allow the APK
to be modified without breaking the
code. Thus a malicious author could
trick Android into believing the
installed app is unchanged from the
original, even one provided by device
makers.
"Details of Android security bug
8219321 were responsibly disclosed
through Bluebox Security’s close
relationship with Google in February
2013," he said. "It’s up to device
manufacturers to produce and release
firmware updates for mobile devices
(and furthermore for users to install
these updates). The availability of
these updates will widely vary
depending upon the manufacturer and
model in question."
He also provided an example
performed by the team that shows they
were able to modify an Android device
manufacturer's own app, allowing
them to have access to any and all
permissions. They were even able to
modify the system-level software
information to include the name
"Bluebox" in the Baseband Version
string, a value that is normally
controlled and configured by the
system firmware.
"This vulnerability, around at least
since the release of Android 1.6
(codename: “Donut”), could affect any
Android phone released in the last four
years – or nearly 900 million devices
– and depending on the type of
application, a hacker can exploit the
vulnerability for anything from data
theft to creation of a mobile botnet," he
said.
The question is, where do we go from
here? Infected apps could already be
listed on Google Play (which isn't
exactly malware-free despite
Google's efforts). The technical
details surrounding the issue,
including the related tools and
material, won't be made public until
Forristal's presentation at Black Hat
USA 2013 in Las Vegas at the end of
the month. However, Chester
Wisniewski, a senior security adviser
at Sophos, indicates the problem only
resides with third-party markets.
"The risk is when users install
applications from third-party
websites," Wisniewski told NBC News
via email. "This practice is ALWAYS
dangerous, this just makes it extra
difficult to determine if an app has
been tampered with. It should be
assumed that an app HAS been
tampered with anytime it is acquired
from a source other than the original
manufacturer or the Play Store."
"I have not seen any evidence of
Amazon being less thorough than
Google, but have not personally
investigated their processes," he
added.
Forristal said his presentation will
"review how the vulnerability was
located
, how an exploit was created, and why
the exploit works, giving insight into
the vulnerability problem and the
exploitation process." Working proof-
of-concept applications will also be
running for all major Android device
vendors.
No comments:
Post a Comment