Attackers could exploit a vulnerability in how Android applications are checked for security to take full control of a mobile device, and almost all Android versions are affected, it has been warned.
The flaw, which affects any version of Android released in the last four years, would allow a hacker to change Android application packages (APKs) without altering the app’s cryptographic signature, according to security start-up BlueBox.
That means they could add malicious code to Trojanise official applications and, crucially, bypass security mechanisms on Android devices and on the Google Play store, which check the validity of cryptographic signatures whenever an app is updated. It gives attackers a “master key” into Android devices, the security firm claimed.
As it is believed Google has blocked any apps that could be exploited by the flaw from its official store, it would be tricky for attackers to get modified APKs on the Play platform.
If attackers placed their rogue app on third-party stores, which traditionally have laxer security protections, they might have more success.
No reports of attacks in the wild have been reported thus far, however, and BlueBox has not revealed full details of the vulnerability.
It is believed Android partners would have been told some time ago, as the flaw was responsibly disclosed back in February, so device manufacturers should have updated their firmware to cover off the flaw.
Google had not responded to a request for comment at the time of publication.
If attackers could get over the various hurdles, the impact would be massive, as BlueBox CTO Jeff Forristal noted in his blog post on the flaw, more details of which are to be announced at the Black Hat event taking place in later this month.
The flaw would be particularly problematic if attackers were able to Trojanise apps made by device makers, as they often have low-level access to devices.
“While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access,” Forristal wrote.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed.
“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).”
Think you know everything about Android? Try our quiz!
Troubled battery maker Northvolt reportedly considers Chapter 11 bankruptcy protection in the United States as…
Microsoft's cloud business practices are reportedly facing a potential anti-competitive investigation by the FTC
Ilya Lichtenstein sentenced to five years in prison for hacking into a virtual currency exchange…
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…
