Android Has Had A Major Vulnerability Since The Last 4 Years

Android is not popular for its security implementation, as many security analysts and competitors have pointed out. The world’s most used mobile OS, it seems has had a major vulnerability since the last four years (since 1.6 or Donut). This exploit allows malicious hackers to change an .apk (android package file) without changing its cryptographic signature. What this means is that anyone can easily bypass all the security process and put a trojan inside an Android app.

android-malware

The exploit, named Android security bug 8219321, was discovered by Bluebox Security. The bug was reported to Google in February 2013. However, it seems the onus is on device manufacturers to patch this bug and it probably hasn’t been done yet. The exploit takes advantage of the way in which Android apps are verified and installed to make it possible to go ahead and modify .apk code. The cryptographic signature of any app is used to verify it as coming from a legitimate source. As the exploit doesn’t break the cryptographic signature, any modifications made to the .apk will be ignored so long as the Android system is convinced that this app is coming from a verified source.

The company has also given an example about how they completely took control of a HTC phone by using the exploit. The security bug allows hackers to gain access to any/all permissions on the device and makes extensive modifications. Bluebox says that this could be used to run a malicious botnet without the user ever being aware that their phone has been compromised.

Source | Bluebox Security

Image Source | WMPoweruser

One Response to “Android Has Had A Major Vulnerability Since The Last 4 Years”

  1. July 4, 2013 at 4:27 pm #

    This is definitely something to keep your eyes open for. Even adventuring within the periphery of play store seems risky, with this new revelation. people rarely opt for an alternative beyond top developers, so this won’t be much of a concern unless you often frequent the shady areas of the playstore

Leave a Comment


− 4 = four