The security research team at Bluebox has announced partial details behind a potential security flaw that has been present in Android since version 1.6(Donut) and makes 99% of Android devices vulnerable to attack.
The flaw lies in the encryption of APKs – Android application files – as standard they’re cryptographically signed. The vulnerability that Bluebox has discovered though, allows for malicious code to be injected into the APK without breaking the cryptographic signature of the application.
Basically, this means a seemingly innocuous APK from what seems on the surface to be a known and trusted developer, could actually contain malicious code. The possibilities for attack are quite disturbing, depending on the permissions allowed to the App, the affected APK could access some pretty high level system information potentially turning the device into a part of a botnet or allowing data theft.
The problem though, lies in actually getting the infected files to users and getting them to install it. Jeff Forristal, Bluebox CTO explains that when a developer initially uploads an App to Google Play for approval, Google scans the files digital signature and records it. Subsequent updates for the App are scanned against this signature for aberrations. Google has actually updated the Google Play application approval process to specifically look for this exploit and remove the possibility of it affecting users, at least for app updates in the official store.
This leaves the only way to get the affected update to be installed is through sideloading, hosting affected files on websites that then trick users into installing them, uploading them directly via USB or from an alternate App store that doesn’t specifically scan APKs for this exploit.
Bluebox has disclosed this vulnerability to Google, in a security bug report in February this year – Android security bug 8219321 – and advised that they will be releasing more technical information on the exploit at security conference – Black Hat USA 2013
It’s a pretty big flaw that has only been addressed by one device so far – the Samsung Galaxy S4 – unfortunately even Nexus devices which are usually the most up to date are still affected according to Forristal.
According to the post on CIO Google has declined to comment on the matter, but that is not surprising.
It’s pertinent to remember that whilst something to think about, this will NOT affect updates and Apps that you download from Google Play, it COULD affect Apps that come from other sources. Hopefully OEMs update their devices and Google also updates their Nexus devices in the near future to kill off the possibility of the vulnerability.
Do you download APKs from third party App stores?
I think I may have downloaded a couple of APKs off the net and installed them on my phone, though I’m not 100 per cent sure. So what can I do now to get rid of any Trojans that may be lurking in the system files and make my phone (HTC One X+ running JB 4.1.2) safe? Any advice/suggestions would be much appreciated.
TIA
i think windows phone 8 has ability to slide load apps 0_o
I think the only times I’ve sideloaded was the Playstation Mobile and new Hangouts app, MyBackupPro (wasn’t on the store) and Swype. Otherwise I get everything from the Play Store. I wouldn’t dare try randomly found apks.
If it only affects sideloaded apps, then anyone malicious has always had the ability to insert malicious code into the apk and resign. All this means is that the signature will still be from the original developer. I don’t know anyone that checks the digital signature and relies on that for authenticity.
and people who are side loading apps not from original developer directly or via the play store, is stealing the app! I’ve always assumed that ‘paid apks’ out in the wild are infected anyhow!
So don’t install random apks you find on the internet and you will be OK…
Haven’t all randomly found apks been risk? If you’re stealing apps, you deserve spyware 🙂
Pretty much.
“If you’re stealing apps, you deserve spyware” Exactly.
Pirating isn’t bad. If you can’t get a debit card then some people have reason to pirate. Or if someone wants to trial an application they pirate it before they feel that it’s worth paying for.
Your first reason is not valid for most people in developed countries who have access to prepaid debit cards. In Australia, anyone can get a Load&Go card from Australia Post that works fine. Your second reason is also a bit dubious but I suppose is more understandable in some cases. However, if someone chooses to go against the wishes of a developer who’s chosen not to provide a trial version, they have to accept the risks and I won’t feel sorry for them if they pick up some malware.
Really a down vote for that? This kind of thing actually happens. When I was around 14-16 and I couldn’t afford apps I’d pirate all day long. It’s not a big deal.
Sorry Sean but I think we’d have to agree here.. stealing software is wrong, regardless of the justification for it. I can sympathise, yes, because I know when I was a kid, I probably couldn’t afford things like this either. However, when I was a kid, we didn’t have smartphones, either 😉 Piracy of apps is a big deal. You mightn’t think it, but it is. It has real world effects. Look at what happened to Falcon Pro. I have no doubt that the reason it ran out of Twitter tokens was because of rampant piracy.. not only ruining the… Read more »
Anyone under 18 can’t get a load and go. Some circumstances don’t allow for parental permission, not gonna go into detail as there is no blanket rule that covers all situations, but I agree with Sean, not all pirates are pirates because they’re stingy. However for the most part, yes piracy as an idea, where you’re taking someone else’s work that they deserve money for, is USUALLY morally wrong.
If you’re under 18, you can use the credit from a Telstra pre-paid SIM. It can work out a lot cheaper too – you can get the $30 ones on sale for $10 occasionally. I bought one the last time from BigW and purchased $30 worth of books from the Play Store. You can use the credit on your existing Google account too.
not all apks on the internet are pirated
Random apks you ‘find’ on the internet would imply they are not from official sources, so yes all random apk you ‘find’ on the internet are most likely pirated, otherwise you would go through official legal sources to install them.
did I say they were random apks? What if its a Beta channel for a dev that he chose not to list through the Play Store? what if its an unofficial Carrier or OEM application thats been modified to work on multiple phones? I download lots of things from XDA that you can’t find on the Play Store, there are plenty of reasons that someone would choose not to have it on the Play Store.
Well you are replying to my post and thats what I said! don’t change the rules to suit yourself. All your examples other than XDA I would class as official sources for the APK. If the dev is posting APK files on there own website for testing, this is classed as official channel. Cut the crap BigEars, you and I both know what APK files I’m referring to. You clearly know I’m referring to the people who are too cheap to pay for apps and troll the internet to get a freebie and save 99 cents by ‘finding’ the APK… Read more »
Actually no, clearly you were referring to apks found on the internet. I can go search for a way to stream video to my computer from my tablet, find an app on someones website that streams music to my phone and download it. That would be classified as “randomly finding an apk on the internet”. I know what you mean, but you can’t just say that everyone else does. Sometimes, a blanket rule of “all non-play apps are illegal and virus ridden” just doesn’t work. And before you start ranting, I am aware that that isn’t what you said word… Read more »