Mobile security startup Bluebox Security has unearthed vulnerability in Android’s security model. According to the security firm, more than 900 million Android phones released in the past four years are vulnerable to hacking due to a so-called “master key”.
The “master key” security vulnerability has existed within Android for the past four years (since Android v1.6 (Donut)). It allows hackers to modify any legitimate and digitally signed app – turning it into a potentially malicious program used to steal user data, eavesdrop or even take control of the Android device altogether.
Bluebox says the flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an app’s code, leaving its cryptographic signature unchanged — thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.
The flaw is made worse if an attacker targets a sub-set of apps developed by device makers themselves, or third parties — such as Cisco with its AnyConnect VPN app — that work closely with device makers and are granted system UID access. This sub-set of apps can allow a hacker to tap into far more than just mere app data, with the potential to steal passwords and account info and take over the normal running of the phone.
The firm decided to make its findings public on Wednesday – a considerable time after it had alerted Google to the problem back in February 2013.
Bluebox advises the following:
- Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
- IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
According to a report in CIO, Google has already modified its Play Store’s app entry process so that apps that have been modified using this exploit are blocked and can no longer be distributed via Play
This latest Android security flaw adds to the general low-level risk attached to using Android but how widely it ends up being exploited by malware writers remains to be seen — so how much more actual risk it introduces into the ecosystem is hard to quantify.