Thursday, July 18, 2013

Android pwned. Again.

Two huge security holes in Android this month.  First up was last week's Master Key vulnerability:
A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers.

Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app's APK code without breaking its cryptographic signature.

This means that any legitimate application - even those afforded elevated privileges by the device manufacturer - could be turned into a malicious Trojan before being offered for download. The difference between the two would not be readily detectable by either the smartphone or the app store - much less an end user.
You see what's coming next, don't you?
Google Play alert: An information security researcher has spotted two apps that use the master key vulnerability that's present in an estimated 99% of all Android devices. But rather than being distributed by sketchy third-party app stores, which are known for harboring malicious apps that have been disguised as free versions of the real thing, these two apps are available directly from the official Google Play app store.


Fortunately, the apps don't appear to be malicious. But the presence of the free apps -- Rose Wedding Cake Game and Pirates Island Mahjong Free, which have been downloaded by between 15,000 and 60,000 people -- on the Google Play site calls into question whether Google is now scanning for apps that abuse the so-called master key vulnerability that was discovered by Bluebox Labs in February and detailed by Android hackers earlier this month
Doesn't take long for something this big to get out in the wild.  And now there's a second vulnerability that the Bad Guys can play with:
Hot on the heels of the so-called "master key" hole in Android comes what Chinese Android researchers are calling "a similar vulnerability."


They've definitely found a bug, and an another embarrassing one for Google's coders, too.
Pretty heavy duty geekery there.

The real problem isn't that Android has vulnerabilities - after all, everything has vulnerabilities.  The problem is that the process of getting a fix from Google to you is broken.  With an iPhone, Apple releases a patch, iTunes checks for it, and downloads it straight from Apple for you.  It doesn't matter who your carrier is - AT&T, Verizon, T-Mobile, Orange: macht nichts.

It's different with Android.  Google releases a fix, and sends it to the handset manufacturer (e.g. Samsung).  At some time in the future, Samsung includes the fix and sends it to the carriers (e.g. AT&T).  After another delay, AT&T updates the image for your Galaxy S.  Maybe.  Then you can get it.

Fail.  It's so bad that some security dudes created a hotpatch app that you can (and should) download from the Google Play store:
Jon Oberheide, CTO of Duo Security, told El Reg that ReKey provided notification of attempted attacks featuring dodgy APKs as well as blocking the Bluebox master key and similar malware padding attacks.

...

"Since ReKey only patches in-memory (and then re-patches upon boot of the device), it is non-destructive and makes no permanent changes to the user's device. When the official patch is delivered to the device, it can interoperate peacefully."

The ReKey app was released on Tuesday and is available to download at rekey.io as well as through the Google Play Store.

A blog post by Duo Security with more context and technical information about ReKey can be found here.

"The security of Android devices worldwide is paralysed by the slow patching practices of mobile carriers and other parties in the Android ecosystem," Oberheide concluded.
Quite frankly, the whole situation shows that the Android security model is a train wreck.  I can't in good conscience recommend that anyone use Android until the patch distribution process gets under control.

6 comments:

Matt W said...

After this recent batch of serious vulnerabilities, I actually find myself considering a switch to iOS. Normally I support open systems and believe they result in more secure products - but in this case with all the forking and distribution issues - patching major vulnerabilities quickly will be a serious problem.

Anonymous said...

"The security of Android devices worldwide is paralysed by the slow patching practices of mobile carriers and other parties in the Android ecosystem," Oberheide concluded.

Yep. Enter Cyanogenmod and other mods.

Yeah, there's some pain doing the first install, and I'm under no illusions as to the Average Joe being able (or willing) to go through it.

But once that's done, the updates are no more difficult than those from the carrier.

The problem isn't the OS, as you point out. The problem is the ecosystem.

Amazon has its own Android app store, but those apps are usually *less* up to date.

I wish someone would take on that task and have an app store with vetted apps.

Until then (and probably beyond), I'll stay with Cyanogenmod+Lookout.

Dave H said...

Matt W: Ordinarily open systems are faster to get issues resolved and patches published. But the U.S. wireless carriers learned a lot from the original AT&T, starting with the word monopoly. They're about as open as the vault at Fort Knox.

Anonymous said...

Seeing this, I immediately brought up Play store on my Nook HD+ and tried using it. The program says it's only for "rooted phones" and you must have root access to run the program.

Guess I'm not installing this one today.

TOTWTYTR said...

What atomic-fungus said. So, are only rooted phones vulnerable? Is this an Android geek problem that the rest of us don't need to worry about?

Yout wants to know.

Rick C said...

I would guess that you need (maybe "need") a rooted phone so that you can run the hotpatch app, which probably needs permissions you can't normally get on a phone. So it's probably not that only rooted phones are vulnerable so much as that unrooted phones can't be patched this way. Make sense?

You could probably use a temporary root app, but I don't know.