A security research firm claims to have discovered a 'master key' that can allow attackers to modify the code of Android applications without rendering their security certificates invalid, potentially opening a back door into millions of Android devices around the world.
A new security vulnerability, due to be described in-depth by Bluebox CTO Jeff Forristal at the Black Hat USA 2013 conference, spells trouble for Android users.
Android applications are supplied as an Android Package (APK) file, which is installed by a helper process in the popular operating system. These packages include a cryptographic signature guaranteeing that the package being installed is the same as the package created by the developer. While it doesn't stop malware from being published on Android - anybody can register for a development account and publish whatever they want to the Google Play service, with malicious files often only being taken down following user complaints - it makes it harder for an attack to pose as a legitimate developer to fool users into installing the package.
At least that was the theory. According to Jeff Forristal, chief technical officer at security firm Bluebox, there's a problem: the Android security model can be fooled into thinking an invalid signature is valid, allowing an attacker to modify the code contained within an APK without triggering an alarm.
'The implications are huge,
' Forristal claims in a blog post
on the discovery. 'This vulnerability, around at least since the release of Android 1.6, could affect any Android phone released in the last 4 years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
According to Bluebox's security team, Android overseer Google was informed of the vulnerability back in February 2013. In proof-of-concept testing, the team was able to modify a third-party developer's package in order to gain full super-user access to the system - using it to insert their own name into the phone's Baseband Version identifier, which appears in the Settings screen. Forristal has also promised to release technical details of the attack as part of a talk planned for the Black Hat USA 2013
Releasing the technical details could, potentially, open up millions of Android users to attack. The undeniably fragmented nature of the Android ecosystem, in which devices only a year old can be abandoned by their creators and receive no software updates whatsoever, means that even if Google patches the flaw in its most recent release hundreds of millions of devices will be left exposed.
Thus far, Google has not commented on the claimed vulnerability.