Android Update Vulnerability Lets Malware Bypass Digital Signature Check, 900 Million Potentially Affected

rated by 0 users
This post has 7 Replies | 0 Followers

Top 10 Contributor
Posts 26,747
Points 1,210,175
Joined: Sep 2007
ForumsAdministrator
News Posted: Thu, Jul 4 2013 2:02 AM
Android, like any operating system, is vulnerable to exploits. And every year about this time, we see a flurry of openings crop up as Black Hat approaches. Typically, these hacks are discovered by researchers who are looking to make the software universe safer. And now, Bluebox Security is doing precisely that. The company has discovered a vulnerability in the Android code base that essentially allows nefarious hackers to modify a digitally-approved Android APK without breaking the app's cryptographic signature. That last part is key; if the cryptographic signature breaks, that triggers an action that can prevent further hacking.

Android Update Vulnerability

Bluebox plans to showcase the entire hack at Black Hat conference this August, but in the meanwhile, some phone makers are already looking to patch it. Google itself is planning to release a patch to the Android Open Source Project to fill in the newfound gap. The actual impact could vary, but it has the potential to let a hacker in and root around in one's data. It's unlikely this will ever happen, though, as Bluebox has no intentions of revealing the hack until it's patched.

The hack could impact Android versions as old as v1.6 (nearly four years old), meaning that nearly a billion products are at risk -- in theory. As ever, this is a great reminder to watch out for unsigned apps that you may install on your Android phone. Being a cautious user generally prevents the installation of nefarious apps.
  • | Post Points: 95
Not Ranked
Posts 82
Points 635
Joined: Jun 2013

This is exactly why I always ask myself "Do I really need this app?" and if I do then I make sure to do my research on the app.

  • | Post Points: 20
Top 150 Contributor
Posts 635
Points 5,705
Joined: Sep 2012
Location: Canada
ForumsAdministrator
Moderator

Well, that goes beyond this issue. If you're downloading from the Play Store, you're effectively safe from this particular vulnerability, because it's unlikely someone is going to be able to gain access to Google's servers to replace a legitimate APK with their modified one. It's when you side-load that it becomes seriously risky.

  • | Post Points: 5
Not Ranked
Posts 71
Points 580
Joined: Jun 2013
Jun replied on Thu, Jul 4 2013 2:26 PM

Kay, I have been doing everything through the app store so phew! Google does warns you when you decide to side-load.

  • | Post Points: 5
Top 150 Contributor
Posts 619
Points 5,260
Joined: Dec 2011

How many people actually sideload outside of xda members?

  • | Post Points: 5
Top 10 Contributor
Posts 8,771
Points 105,115
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Thu, Jul 4 2013 10:36 PM

Get mine from Google only

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Not Ranked
Posts 2
Points 10
Joined: Sep 2014

Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here. mi40x review

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Oct 2014

It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. Daycare

  • | Post Points: 5
Page 1 of 1 (8 items) | RSS