A four-year-old Android bug could be used to plant malware on 99 per cent of Android devices on the market, according to security researchers.You see what's coming next, don't you?
Bluebox Security CTO Jeff Forristal said the vulnerability in Android’s security model creates a means for hackers to modify an Android app's APK code without breaking its cryptographic signature.
This means that any legitimate application - even those afforded elevated privileges by the device manufacturer - could be turned into a malicious Trojan before being offered for download. The difference between the two would not be readily detectable by either the smartphone or the app store - much less an end user.
Google Play alert: An information security researcher has spotted two apps that use the master key vulnerability that's present in an estimated 99% of all Android devices. But rather than being distributed by sketchy third-party app stores, which are known for harboring malicious apps that have been disguised as free versions of the real thing, these two apps are available directly from the official Google Play app store.Doesn't take long for something this big to get out in the wild. And now there's a second vulnerability that the Bad Guys can play with:
Fortunately, the apps don't appear to be malicious. But the presence of the free apps -- Rose Wedding Cake Game and Pirates Island Mahjong Free, which have been downloaded by between 15,000 and 60,000 people -- on the Google Play site calls into question whether Google is now scanning for apps that abuse the so-called master key vulnerability that was discovered by Bluebox Labs in February and detailed by Android hackers earlier this month
Hot on the heels of the so-called "master key" hole in Android comes what Chinese Android researchers are calling "a similar vulnerability."Pretty heavy duty geekery there.
They've definitely found a bug, and an another embarrassing one for Google's coders, too.
The real problem isn't that Android has vulnerabilities - after all, everything has vulnerabilities. The problem is that the process of getting a fix from Google to you is broken. With an iPhone, Apple releases a patch, iTunes checks for it, and downloads it straight from Apple for you. It doesn't matter who your carrier is - AT&T, Verizon, T-Mobile, Orange: macht nichts.
It's different with Android. Google releases a fix, and sends it to the handset manufacturer (e.g. Samsung). At some time in the future, Samsung includes the fix and sends it to the carriers (e.g. AT&T). After another delay, AT&T updates the image for your Galaxy S. Maybe. Then you can get it.
Fail. It's so bad that some security dudes created a hotpatch app that you can (and should) download from the Google Play store:
Jon Oberheide, CTO of Duo Security, told El Reg that ReKey provided notification of attempted attacks featuring dodgy APKs as well as blocking the Bluebox master key and similar malware padding attacks.Quite frankly, the whole situation shows that the Android security model is a train wreck. I can't in good conscience recommend that anyone use Android until the patch distribution process gets under control.
...
"Since ReKey only patches in-memory (and then re-patches upon boot of the device), it is non-destructive and makes no permanent changes to the user's device. When the official patch is delivered to the device, it can interoperate peacefully."
The ReKey app was released on Tuesday and is available to download at rekey.io as well as through the Google Play Store.
A blog post by Duo Security with more context and technical information about ReKey can be found here.
"The security of Android devices worldwide is paralysed by the slow patching practices of mobile carriers and other parties in the Android ecosystem," Oberheide concluded.
