14 DAY TRIAL // Researchers have uncovered an Android security hole that can be exploited by cybercriminals to turn any legitimate application into a malicious Trojan by modifying the APK code without breaking the targeted app’s cryptographic signature.
Experts from Bluebox Labs, the research team of Bluebox Security, say the vulnerability could affect almost 900 million Android devices. More precisely, Android versions starting with 1.6 are said to be impacted.
Hackers can exploit the flaw for a wide range of purposes, including data theft and the creation of a mobile botnet. And the worst part is that the modified application can go completely unnoticed not only by the end user, but also by the phone and even the app store.
Modifying regular apps is bad enough, but experts warn that the security hole can also be leveraged against applications that are granted special elevated privileges (System UID access), such as the ones developed by the device manufacturers, or third parties that work with the device manufacturers.
Installing a Trojan application that has full permissions allows the attacker to read sensitive data from the phone, and basically take complete control of the device.
“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Jeff Forristal, Bluebox CTO, explained.
So how does it work?
All Android applications contain cryptographic signatures that the operating system uses to determine if an application is legitimate, and if it has been tampered with.
However, the vulnerability leverages the discrepancies in how apps are cryptographically verified and installed, allowing an attacker to modify the APK code without breaking the cryptographic signature.
The vulnerability has been reported to Google in February 2013. However, now it’s up to the device manufacturers to develop and release firmware updates for their products.
Technical details of the vulnerability will be presented by experts at the upcoming BlackHat USA 2013 security conference.