Printed from http://www.electronista.com

Bluebox finds Android cryptological app 'master key' security flaw

updated 08:03 pm EDT, Wed July 3, 2013

Attack allows for privilege escalation, unlocks all data for malicious app

Mobile security research firm Bluebox labs discovered (and reported to Google) a serious security issue with Android in February that, according to a new announcement, remains unpatched. The discovered flaw allows a miscreant to modify APK code without breaking an app's cryptographic signature. The modification of code can allow a coder to make an app pass through Google's security precautions unnoticed, and elevate permissions allowing malicious code to be executed. The flaw has existed since Android OS v1.6.

Every Android contains a cryptographic signature to ensure to the kernel of the device that an app has not been tampered with. The vulnerability inserts code into an extant app without changing the signature of the app, in essence tricking Android into believing that an app is unchanged from initial installation.

According to Bluebox, the Trojan attack has special significance. The research firm believes that "while the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android -- specifically, System UID access."

Using this elevated access granted by manufacturer-specific apps, a Trojan-attacked app can then read any information on the device, recall all stored passwords, and "essentially take over the normal functioning of the phone and control any function thereof" including, but not limited to, phone calls, SMS messaging, camera use, and call recording.

Bluebox reported the issue to Google earlier this year, but it is believed that no manufacturers have implemented the fix, including Google itself. Full specifics on the assault methodology will be released to the public at the Black Hat 2013 conference.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Razer Kraken Pro headset

Gaming headphones are a challenge to get right, for a long list of reasons that are unique to the consumer buying them. Some shoppers ...

Patriot Aero Wireless Mobile Drive

Regardless of how large a tablet you buy, you always want more space. There's always one more movie or another album you'd cram on, if ...

Patriot Fuel+ 6000 and 9000mAh batteries

Mobile device batteries are better than they used to be, but there's always a scenario where users could use more juice. Upgrade manuf ...

Sponsor

toggle

Most Commented

 
toggle

Popular News