Android Update Vulnerability Lets Malware Bypass Digital Signature Check, 900 Million Potentially Affected

rated by 0 users
This post has 5 Replies | 0 Followers

Top 10 Contributor
Posts 24,877
Points 1,116,600
Joined: Sep 2007
ForumsAdministrator
News Posted: Thu, Jul 4 2013 2:02 AM
Android, like any operating system, is vulnerable to exploits. And every year about this time, we see a flurry of openings crop up as Black Hat approaches. Typically, these hacks are discovered by researchers who are looking to make the software universe safer. And now, Bluebox Security is doing precisely that. The company has discovered a vulnerability in the Android code base that essentially allows nefarious hackers to modify a digitally-approved Android APK without breaking the app's cryptographic signature. That last part is key; if the cryptographic signature breaks, that triggers an action that can prevent further hacking.

Android Update Vulnerability

Bluebox plans to showcase the entire hack at Black Hat conference this August, but in the meanwhile, some phone makers are already looking to patch it. Google itself is planning to release a patch to the Android Open Source Project to fill in the newfound gap. The actual impact could vary, but it has the potential to let a hacker in and root around in one's data. It's unlikely this will ever happen, though, as Bluebox has no intentions of revealing the hack until it's patched.

The hack could impact Android versions as old as v1.6 (nearly four years old), meaning that nearly a billion products are at risk -- in theory. As ever, this is a great reminder to watch out for unsigned apps that you may install on your Android phone. Being a cautious user generally prevents the installation of nefarious apps.
  • | Post Points: 65
Not Ranked
Posts 82
Points 635
Joined: Jun 2013

This is exactly why I always ask myself "Do I really need this app?" and if I do then I make sure to do my research on the app.

  • | Post Points: 20
Top 150 Contributor
Posts 579
Points 5,260
Joined: Sep 2012
Location: Canada
ForumsAdministrator
Moderator

Well, that goes beyond this issue. If you're downloading from the Play Store, you're effectively safe from this particular vulnerability, because it's unlikely someone is going to be able to gain access to Google's servers to replace a legitimate APK with their modified one. It's when you side-load that it becomes seriously risky.

  • | Post Points: 5
Not Ranked
Posts 71
Points 580
Joined: Jun 2013
Jun replied on Thu, Jul 4 2013 2:26 PM

Kay, I have been doing everything through the app store so phew! Google does warns you when you decide to side-load.

  • | Post Points: 5
Top 150 Contributor
Posts 619
Points 5,260
Joined: Dec 2011

How many people actually sideload outside of xda members?

  • | Post Points: 5
Top 10 Contributor
Posts 8,437
Points 102,170
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator
realneil replied on Thu, Jul 4 2013 10:36 PM

Get mine from Google only

Don't part with your illusions. When they are gone you may still exist, but you have ceased to live.

(Mark Twain)

  • | Post Points: 5
Page 1 of 1 (6 items) | RSS