The security research team at Bluebox has announced partial details behind a potential security flaw that has been present in Android since version 1.6(Donut) and makes 99% of Android devices vulnerable to attack.
The flaw lies in the encryption of APKs – Android application files – as standard they’re cryptographically signed. The vulnerability that Bluebox has discovered though, allows for malicious code to be injected into the APK without breaking the cryptographic signature of the application.
Basically, this means a seemingly innocuous APK from what seems on the surface to be a known and trusted developer, could actually contain malicious code. The possibilities for attack are quite disturbing, depending on the permissions allowed to the App, the affected APK could access some pretty high level system information potentially turning the device into a part of a botnet or allowing data theft.
The problem though, lies in actually getting the infected files to users and getting them to install it. Jeff Forristal, Bluebox CTO explains that when a developer initially uploads an App to Google Play for approval, Google scans the files digital signature and records it. Subsequent updates for the App are scanned against this signature for aberrations. Google has actually updated the Google Play application approval process to specifically look for this exploit and remove the possibility of it affecting users, at least for app updates in the official store.
This leaves the only way to get the affected update to be installed is through sideloading, hosting affected files on websites that then trick users into installing them, uploading them directly via USB or from an alternate App store that doesn’t specifically scan APKs for this exploit.
Bluebox has disclosed this vulnerability to Google, in a security bug report in February this year – Android security bug 8219321 – and advised that they will be releasing more technical information on the exploit at security conference – Black Hat USA 2013
It’s a pretty big flaw that has only been addressed by one device so far – the Samsung Galaxy S4 – unfortunately even Nexus devices which are usually the most up to date are still affected according to Forristal.
According to the post on CIO Google has declined to comment on the matter, but that is not surprising.
It’s pertinent to remember that whilst something to think about, this will NOT affect updates and Apps that you download from Google Play, it COULD affect Apps that come from other sources. Hopefully OEMs update their devices and Google also updates their Nexus devices in the near future to kill off the possibility of the vulnerability.
Do you download APKs from third party App stores?