Attackers could exploit a vulnerability in how Android applications are checked for security to take full control of a mobile device, and almost all Android versions are affected, it has been warned.
The flaw, which affects any version of Android released in the last four years, would allow a hacker to change Android application packages (APKs) without altering the app’s cryptographic signature, according to security start-up BlueBox.
That means they could add malicious code to Trojanise official applications and, crucially, bypass security mechanisms on Android devices and on the Google Play store, which check the validity of cryptographic signatures whenever an app is updated. It gives attackers a “master key” into Android devices, the security firm claimed.
As it is believed Google has blocked any apps that could be exploited by the flaw from its official store, it would be tricky for attackers to get modified APKs on the Play platform.
If attackers placed their rogue app on third-party stores, which traditionally have laxer security protections, they might have more success.
No reports of attacks in the wild have been reported thus far, however, and BlueBox has not revealed full details of the vulnerability.
It is believed Android partners would have been told some time ago, as the flaw was responsibly disclosed back in February, so device manufacturers should have updated their firmware to cover off the flaw.
Google had not responded to a request for comment at the time of publication.
If attackers could get over the various hurdles, the impact would be massive, as BlueBox CTO Jeff Forristal noted in his blog post on the flaw, more details of which are to be announced at the Black Hat event taking place in later this month.
The flaw would be particularly problematic if attackers were able to Trojanise apps made by device makers, as they often have low-level access to devices.
“While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access,” Forristal wrote.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed.
“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).”
Think you know everything about Android? Try our quiz!
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…
Elon Musk firm touts cheaper EV models, as profits slump over 50 percent in the…