Bluebox Security yesterday posted an article on its blog, that its Bluebox Labs, recently discovered a vulnerability in Android's security model that allows a hacker to modify APK code without breaking an application's cryptographic signature and turning any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. According to Bluebox Security, the implications are huge since this vulnerability is around at least since the release of Android 1.6 / Donut and could therefore affect any Android phone released in the last 4 years or nearly 900 million devices.
As Jeff Forristal, Bluebox CTO wrote, the risk to the individual and the enterprise is great since a malicious app can access individual data, or gain entry into an enterprise) and this risk is compounded when you consider applications developed by the device manufacturers or third-parties that work in cooperation with the device manufacturer that are granted special elevated privileges within Android – specifically System UID access.
According to Bluebox Security explains, installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications - and their data - currently installed. The application then not only has the ability to read arbitrary application data on the device, including E-Mail, SMS and WhatsApp messages, documents, etc., but it also gets access to retrieve all stored account & service passwords. Last but not least it's said that there's the potential for hackers to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these "zombie" mobile devices to create a botnet.
Bleubox Security gives insights on its blog who it works, so if you are interested in more details, have a look there but the company highlights, that details of Android security bug 8219321 were responsibly disclosed through Bluebox Security's close relationship with Google in February 2013 and that's it up to device manufacturers to produce and release firmware updates for mobile devices.
Forristal will unveil further technical details of the issue as part of his Black Hat USA 2013 talk. In the meantime Bluebox Security recommends that device owners should be extra cautious in identifying the publisher of the app they want to download. Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
Let's see how valid Bluebox Security's information is, not that it's just a sales show for their products and services.
Cheers ~ Arne