Researchers in the security field at Bluebox Security, have found a bug in the Android operating system, which allows them to create malicious apps (appearing to be genuine with correct digital signatures). Digital signatures allow any piece of data, including an app, to be checked to see that it is genuine. But, because of this bug in Android, it is possible to create a fake app and digitally sign it so it looks like a real app from an author, including massive companies such as Google, Samsung, HTC and Sony etc.
Since the digital signatures of companies like Google and hardware manufacturers like Samsung, can be faked, it is possible to create a system app which has system access to the device in question. These system apps, which have what is known as ’System UID access’ can perform any function on the phone including modifying system-level parameters and system-level software. If such an app is installed on an Android mobile phone, the user would be totally vulnerable to a plethora of attacks including password sniffing and key logging.
The researchers at Bluebox Security informed Google about the flaw called Android security bug 8219321 way back in February 2013 and they now plan to reveal details of the security issue at an upcoming security conference. Theoretical security flaws exist in almost every piece of software including Microsoft Windows Phone, Android and iOS. The change from theoretical to real can be a long but not impossible. The question is, is there any real danger to current Android users. The answer is in a grey area. Bluebox Security says that the bug is present in 99% of all Android devices and they are correct. Until Google releases a patch and the manufacturers release updates then the majority of Android devices remain exposed! However, the key with any vulnerability is how easy is it to exploit? As always, users who download apps from third party sites including, but not limited to, torrents and media sharing sites are in the most danger as the most common way for hackers to spread malware is to upload a copy of popular software that has been modified to include malicious code. If hackers discover the secrets to the Bluebox Security method of altering an app without breaking its cryptographic signature, then apps with system level access could be installed on any version of Android from 1.6 to 4.2, (even those which have not been rooted). For users who only use the official Google Play Store, then the chances of malware infection in this manner are very small indeed. It is unlikely that hackers will be able to get one of these apps into Google Play and we can assume that since Google has known about this bug for five months, then it has already implemented safeguards into the app store upload process to block said apps from appearing online.
As has been said countless times before, only download from Google Play or the Amazon App Store for security reasons if nothing else!
[Image via: thehackingalert]