Android ‘Master Key’ Security Vulnerability Exposed
A security specialist has uncovered a vulnerability in Google’s (GOOG) Android operating system that could enable cyber attackers to take over a user’s smartphone, according to a report in Ars Technica, based on a blog post at Bluebox Labs’s website.
A security specialist has uncovered a vulnerability in Google’s (GOOG) Android operating system that could enable cyber attackers to take over a user’s smartphone, according to a report in Ars Technica, based on a blog post at Bluebox Labs’s website.
Bluebox, which uncovered the security opening, reported the vulnerability to Google last February, according to the report. The Android security flaw involves the cryptographic signature of authentic Android applications, an assurance that the software hasn’t been meddled with by parties other than the actual developer, Bluebox said.
The flaw has been present for nearly four years and impacts Android back to version 1.6. The security researchers discovered how to deceive Android’s way of checking the validation signatures to enable malware code to slip by unnoticed. As a result, any app or program written to take advantage of the weakness would gain access to a user’s phone in the same way as does legitimate code.
“This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last four years—or nearly 900 million devices—and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” wrote Bluebox chief technology officer Jeff Forristal.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed,” he wrote. “The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).”
And, perhaps most importantly, with control of a user’s device, an attacker can use it to create a botnet to magnify the harm multifold, said Forristal.
“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet,” he wrote.
The good news? So far, the Android security vulnerability hasn’t been capitalized on yet by an attacker, according to Forristal, saying the “danger from the loophole remains theoretical because, as yet, there is no evidence that it is being exploited by cyber-thieves.”
