Android Update Vulnerability Lets Malware Bypass Digital Signature Check, 900 Million Potentially Affected - HotHardware
Android Update Vulnerability Lets Malware Bypass Digital Signature Check, 900 Million Potentially Affected

Android Update Vulnerability Lets Malware Bypass Digital Signature Check, 900 Million Potentially Affected

Android, like any operating system, is vulnerable to exploits. And every year about this time, we see a flurry of openings crop up as Black Hat approaches. Typically, these hacks are discovered by researchers who are looking to make the software universe safer. And now, Bluebox Security is doing precisely that. The company has discovered a vulnerability in the Android code base that essentially allows nefarious hackers to modify a digitally-approved Android APK without breaking the app's cryptographic signature. That last part is key; if the cryptographic signature breaks, that triggers an action that can prevent further hacking.

Android Update Vulnerability

Bluebox plans to showcase the entire hack at Black Hat conference this August, but in the meanwhile, some phone makers are already looking to patch it. Google itself is planning to release a patch to the Android Open Source Project to fill in the newfound gap. The actual impact could vary, but it has the potential to let a hacker in and root around in one's data. It's unlikely this will ever happen, though, as Bluebox has no intentions of revealing the hack until it's patched.

The hack could impact Android versions as old as v1.6 (nearly four years old), meaning that nearly a billion products are at risk -- in theory. As ever, this is a great reminder to watch out for unsigned apps that you may install on your Android phone. Being a cautious user generally prevents the installation of nefarious apps.
+1
+ -

This is exactly why I always ask myself "Do I really need this app?" and if I do then I make sure to do my research on the app.

0
+ -

Well, that goes beyond this issue. If you're downloading from the Play Store, you're effectively safe from this particular vulnerability, because it's unlikely someone is going to be able to gain access to Google's servers to replace a legitimate APK with their modified one. It's when you side-load that it becomes seriously risky.

0
+ -

Kay, I have been doing everything through the app store so phew! Google does warns you when you decide to side-load.

0
+ -

How many people actually sideload outside of xda members?

0
+ -

Get mine from Google only

Login or Register to Comment
Post a Comment
Username:   Password: