Wednesday , October 18 2017

Security researchers find flaw in Android that affects 99% of devices

Android
The security research team at Bluebox has announced partial details behind a potential security flaw that has been present in Android since version 1.6(Donut) and makes 99% of Android devices vulnerable to attack.

The flaw lies in the encryption of APKs – Android application files – as standard they’re cryptographically signed. The vulnerability that Bluebox has discovered though, allows for malicious code to be injected into the APK without breaking the cryptographic signature of the application.

Basically, this means a seemingly innocuous APK from what seems on the surface to be a known and trusted developer, could actually contain malicious code. The possibilities for attack are quite disturbing, depending on the permissions allowed to the App, the affected APK could access some pretty high level system information potentially turning the device into a part of a botnet or allowing data theft.

The problem though, lies in actually getting the infected files to users and getting them to install it. Jeff Forristal, Bluebox CTO explains that when a developer initially uploads an App to Google Play for approval, Google scans the files digital signature and records it. Subsequent updates for the App are scanned against this signature for aberrations. Google has actually updated the Google Play application approval process to specifically look for this exploit and remove the possibility of it affecting users, at least for app updates in the official store.

This leaves the only way to get the affected update to be installed is through sideloading, hosting affected files on websites that then trick users into installing them, uploading them directly via USB or from an alternate App store that doesn’t specifically scan APKs for this exploit.

Bluebox has disclosed this vulnerability to Google, in a security bug report in February this year – Android security bug 8219321 – and advised that they will be releasing more technical information on the exploit at security conference – Black Hat USA 2013

It’s a pretty big flaw that has only been addressed by one device so far – the Samsung Galaxy S4 – unfortunately even Nexus devices which are usually the most up to date are still affected according to Forristal.

According to the post on CIO Google has declined to comment on the matter, but that is not surprising.

It’s pertinent to remember that whilst something to think about, this will NOT affect updates and Apps that you download from Google Play, it COULD affect Apps that come from other sources. Hopefully OEMs update their devices and Google also updates their Nexus devices in the near future to kill off the possibility of the vulnerability.

Do you download APKs from third party App stores?

 
Source: CIO, and BlueBox.
Via: TheVerge.

Daniel Tyson   Editor

Dan is a die-hard Android fan. Some might even call him a lunatic. He's been an Android user since Android was a thing, and if there's a phone that's run Android, chances are he owns it (his Nexus collection is second-to-none) or has used it.

Dan's dedication to Ausdroid is without question, and he has represented us at some of the biggest international events in our industry including Google I/O, Mobile World Congress, CES and IFA.

Join the Ausdroid Conversation

18 Comments on "Security researchers find flaw in Android that affects 99% of devices"

avatar
Sort by:   newest | oldest | most voted
Sisyphus Adroit
Valued Guest
Sisyphus Adroit

I think I may have downloaded a couple of APKs off the net and installed them on my phone, though I’m not 100 per cent sure. So what can I do now to get rid of any Trojans that may be lurking in the system files and make my phone (HTC One X+ running JB 4.1.2) safe? Any advice/suggestions would be much appreciated.

TIA

vijay alapati
Valued Guest
vijay alapati

i think windows phone 8 has ability to slide load apps 0_o

ohdenny
Valued Guest

I think the only times I’ve sideloaded was the Playstation Mobile and new Hangouts app, MyBackupPro (wasn’t on the store) and Swype. Otherwise I get everything from the Play Store. I wouldn’t dare try randomly found apks.

Member

If it only affects sideloaded apps, then anyone malicious has always had the ability to insert malicious code into the apk and resign. All this means is that the signature will still be from the original developer. I don’t know anyone that checks the digital signature and relies on that for authenticity.

Level380
Valued Guest
Level380

and people who are side loading apps not from original developer directly or via the play store, is stealing the app! I’ve always assumed that ‘paid apks’ out in the wild are infected anyhow!

Level380
Valued Guest
Level380

So don’t install random apks you find on the internet and you will be OK…

Haven’t all randomly found apks been risk? If you’re stealing apps, you deserve spyware 🙂

BigEars528
Valued Guest
BigEars528

not all apks on the internet are pirated

Level380
Valued Guest
Level380

Random apks you ‘find’ on the internet would imply they are not from official sources, so yes all random apk you ‘find’ on the internet are most likely pirated, otherwise you would go through official legal sources to install them.

BigEars528
Valued Guest
BigEars528

did I say they were random apks? What if its a Beta channel for a dev that he chose not to list through the Play Store? what if its an unofficial Carrier or OEM application thats been modified to work on multiple phones? I download lots of things from XDA that you can’t find on the Play Store, there are plenty of reasons that someone would choose not to have it on the Play Store.

Level380
Valued Guest
Level380
Well you are replying to my post and thats what I said! don’t change the rules to suit yourself. All your examples other than XDA I would class as official sources for the APK. If the dev is posting APK files on there own website for testing, this is classed as official channel. Cut the crap BigEars, you and I both know what APK files I’m referring to. You clearly know I’m referring to the people who are too cheap to pay for apps and troll the internet to get a freebie and save 99 cents by ‘finding’ the APK… Read more »
BigEars528
Valued Guest
BigEars528
Actually no, clearly you were referring to apks found on the internet. I can go search for a way to stream video to my computer from my tablet, find an app on someones website that streams music to my phone and download it. That would be classified as “randomly finding an apk on the internet”. I know what you mean, but you can’t just say that everyone else does. Sometimes, a blanket rule of “all non-play apps are illegal and virus ridden” just doesn’t work. And before you start ranting, I am aware that that isn’t what you said word… Read more »
wpDiscuz

Check Also

Get a free Huawei EnVizion 360 camera with a Mate 10 and Mate 10 Pro purchase

On Monday night Huawei’s blink and you’ll miss it product, the EnVizion 360 Camera was …