According to researchers at Bluebox Security there is a vulnerability in the Android operating system (OS) which allows a hacker to modify Android Application Package (APK) code without breaking the cryptographic signature of an application, to turn legitimate applications into malicious Trojans. The researchers say that this could be done "completely unnoticed by the app store, the phone, or the end user".
In a blog post, Jeff Forristal, CTO, Bluebox Security, reports that the vulnerability has been in existence since version 1.6 (code named Donut) of the Android OS, and could affect up to 900 million devices. He warns that depending on the type of application, a hacker could exploit the vulnerability for anything from data theft to creation of a mobile botnet.
"While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access," wrote Forristal.
The installation of a Trojan application from the device manufacturer can grant the application full access to Android system, all applications and data currently installed, according to the blog. The application will then not only have the ability to read arbitrary application data on the device, such as email, SMS messages, documents, etc., but also to retrieve all stored account and service passwords, warns Bluebox.
"It can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet," wrote Forristal.
Bluebox recommends that device owners should be "extra cautious in identifying the publisher of the app they want to download".
"Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated," warns Forristal.
"IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data."
TechCentral Reporters
Subscribers 0
Fans 0
Followers 0
Followers