A vulnerability in virtually all Android devices could work to hack into companies’ networks.
If exploited by hackers, the flaw could turn legitimate applications on the device into defense-dodging Trojans, said Bluebox Security chief technology officer Jeff Forristal.
“The Bluebox Security research team recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user,” Forristal said.
The vulnerability has been around since Android 1.6 Jelly Bean and could target any Google phone or tablet released in the last four years, including popular handsets like the HTC One and Samsung Galaxy S4, Forristal said.
Forristal added the vulnerability is dangerous because of the way many big-name companies have granted Android devices running on their networks additional privileges.
“While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in co-operation with the device manufacturer (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android – specifically System UID access,” he said.
The Bluebox chief added the vulnerability could also theoretically set up an Android botnet, letting criminals use millions of Android devices to their ends. Were the event to occur, the network could cause havoc, letting criminals mount numerous denial-of-service attacks, or rake in billions of dollars via spam campaigns and the like.
Google was not immediately available for comment on Bluebox’s research. F-Secure security expert Sean Sullivan said while BlueBox’s research looks legitimate, the potential for harm appears limited and could end up solved in a variety of ways. “The real question is how practical is it?” Sullivan said.
“From our reading of Bluebox’s post, the issue is something that Google Play could be able to (or already does) mitigate. Interaction with Play would cause Google to recognize the altered apps. But there could be an issue with apps from third-party markets. All in all, it is difficult to determine if this vulnerability makes for something useful in terms of crimeware. So there’s no way yet to say if consumers and/or businesses should be concerned.”
Forristal said business should rethink their bring your own device (BYOD) policies regarding Android. “Device owners should be extra cautious in identifying the publisher of the app they want to download. Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated,” he wrote.