or Connect
AppleInsider › Forums › Mobile › iPhone › Security flaw opens all modern Android devices to "zombie botnet" takeover [u]
New Posts  All Forums:Forum Nav:

Security flaw opens all modern Android devices to "zombie botnet" takeover [u]

post #1 of 245
Thread Starter 
A newly discovered flaw in Google's Android security model enables rogue apps to gain full access to the Android system and all installed apps, read all data on the device, harvest passwords and create a botnet of "always-on, always-connected and always-moving" spy devices tracking users' location while secretly recording.

Android security flaw


The far reaching vulnerability, discovered by San Francisco's Bluebox Security, involves "discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.""A device affected by this exploit could ...become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device."

Android apps (packaged as an "APK") are signed with an encryption key (just like iOS apps) to prevent a malicious party from changing the code. Signed apps are expressly designed to enable the system to detect any tampering or modification.

However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything.

"A device affected by this exploit could do anything in the realm of computer malice, including become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device," a representative of the company wrote AppleInsider.

Affects everything Android, in a big way



The flaw has been in place since the release of Android 1.6 "Donut," meaning it affects virtually all Android devices sold in over the last four years, essentially all of the installed base of Android devices: Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich and Jelly Bean.

Mobile OS installed base stats


A compromised app exploiting the vulnerability can take the appearance of a legitimate app that has been given wide access to system resources. Bluebox notes that many of Android licensees' own apps (such as those from HTC, Samsung, Motorola or LG) as well as many VPN apps (such as Cisco's AnyConnect) are customarily "granted special elevated privileges within Android ? specifically System UID access.""most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain "full access to Android system and all applications (and their data) currently installed."

This means the app subsequently "not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)."

Bluebox adds, "finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

A big flaw to fix, requiring 900 million firmware updates



Bluebox disclosed the vulnerability to Google and members of the Open Handset Alliance in February 2013, but the firm notes that "it?s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.""The Android malware ecosystem is beginning to resemble to that which surrounds Windows."

So far, Android licensees have been extremely slow to roll out any updates for their users, often refusing to bother with distributing even significant security patches.

Android's unaddressed security lapses have helped make it the world's leading mobile platform for malware, a problem many of its supporters simply refused to acknowledge. However, this new vulnerability means puts Android users at even more risk, because now they can't even trust apps signed by a legitimate developer.

As security firm F-Secure noted in May, "the Android malware ecosystem is beginning to resemble to that which surrounds Windows."

Bluebox will be detailing the vulnerability in a Black Hat USA 2013 session by its chief technology officer Jeff Forristal.

Partial containment, Google not open to talking about it



Update: a report by Computerworld notes that Samsung has included a patch rectifying the issue for one device: its flagship Galaxy S4. The article noted Forristal as saying that "Google has not released patches for its Nexus devices yet, but the company is working on them."

"Google declined to comment on the matter," the report added. "The Open Handset Alliance did not respond to a request for comment."

However, Google has blocked distribution of apps exploiting the flaw in Google Play, although if user to is tricked into manually installing a malicious update "for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store."

Addressing the issue of updating the hundreds of millions of Android devices that have already been sold, Computerworld observed, "the slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users.

"Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws."
post #2 of 245
When your agenda is to collect as much information about users as possible, security will never be prioritized.
post #3 of 245
That's Android for you.
Fun and relaxing way to prepare Japanese Language Proficiency Test (JLPT) test with Juku Apps
Reply
Fun and relaxing way to prepare Japanese Language Proficiency Test (JLPT) test with Juku Apps
Reply
post #4 of 245

@hydr - Completely agree. There will always be a way here to get access to data. 

 

The curious part of me wonders how they're going to implement a security fix with so much fragmentation.

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply

 

 

Quote:
The reason why they are analysts is because they failed at running businesses.

 

Reply
post #5 of 245

To all the Walled Garden Apple-hating idiots; welcome to the wide-assed open Android OS where free malware abounds. 

 

I've been waiting for this day, for it was sure to come. Now, 900 million Android customers are re-thinking their earlier choice. I'd not be surprised if Apple sales sees a surge that would put the Sandy hurricane to shame... The new iPhones can't get here soon enough...!!!

"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
"That (the) world is moving so quickly that iOS is already amongst the older mobile operating systems in active development today." — The Verge
Reply
post #6 of 245
Since Google is one of the worse offenders in collecting data it's not surprising they have not spotted this.
post #7 of 245
"Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app stores application entry process in order to block apps that contain this problem"

--

So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.
Edited by koop - 7/3/13 at 3:51pm
post #8 of 245

From the source article:

Quote:
"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."

Doesn't this mean this story is basically non-issue? I could be wrong, but the article implies that the rogue application has to come from HTC or Samsung, not from Google Play.

post #9 of 245

Certainly more concerning then the Apple charger exploit that was recently discovered that effects all devices running iOS.  At least with the charger exploit an attacker has to have physical access to your device.

 

Hopefully fixes for both get pushed through so we can all be a little safer.

post #10 of 245

 

Quote:
"Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store%u2019s application entry process in order to block apps that contain this problem"

--

So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.

 

Quote:

From the source article:

Quote:
"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."

Doesn't this mean this story is basically non-issue? I could be wrong, but the article implies that the rogue application has to come from HTC or Samsung, not from Google Play.

 

Is Google Play the only app store for Android?

post #11 of 245
Quote:
Originally Posted by avium View Post

 

Is Google Play the only app store for Android?

 

There are countless app stores.  The Play store and Amazon's app store are the only ones worth using in the US though.  The rest are sub-par and usually offer the same apps that one can find in the Play store anyways.

post #12 of 245
Most amazing is not this story (it was only a matter of time, DED called Android an amateur OS for a reason). What is amazing is that you can check any Android-hangout, from Android Central to the Verge's Android page to engadget to gizmodo... There seems to be no demand to even alert users about this. Not one mention anywhere.
post #13 of 245
Quote:
Originally Posted by avium View Post

 

Is Google Play the only app store for Android?

 

The only one people use and care about. Amazon is the next best one. 

 

I'm willing to bet 95% of Android users don't even know they can side load applications and will always be getting apps strictly from the Google Play store. As much as Apple users gloat about being walled in (I don't mind it myself) and that's secure, most best selling Android phones in their default settings are fairly locked down out of the box. Mostly the tech heads remove those restrictions, and it's on them to be careful about non-curated software. 

 

Again, AI glossed over the fact that those who strictly use Google Play (almost everyone) will not be bothered by this issue. Any infection will require social engineering, which is a user error more than anything. 

post #14 of 245

The fact of the matter is that the vast majority of Android users will not even read about this, and they'll go about life blissfully unaware of an exploit on their device. Most of this vast majority won't even bother to update their phones to remove/block the exploit.

 

I've been getting lots of spam recently plus legit emails from sites I have never visited -- narrowed it down to two people's computers/phones which were compromised. If the spam doesn't stop soon I will most definitely be changing my email addresses.

post #15 of 245
Quote:
Originally Posted by DroidFTW View Post

Certainly more concerning then the Apple charger exploit that was recently discovered that effects all devices running iOS.  At least with the charger exploit an attacker has to have physical access to your device.

Hopefully fixes for both get pushed through so we can all be a little safer.

Oh boy. If you're going to be a paid shill, at least take the trouble to write decent English and punctuate a bit better?
post #16 of 245
The benefits of "open".

No worries, android users can hack into their phones and repair the security flaws themselves.
post #17 of 245
Quote:
Originally Posted by sip View Post

The fact of the matter is that the vast majority of Android users will not even read about this, and they'll go about life blissfully unaware of an exploit on their device. Most of this vast majority won't even bother to update their phones to remove/block the exploit.

 

I've been getting lots of spam recently plus legit emails from sites I have never visited -- narrowed it down to two people's computers/phones which were compromised. If the spam doesn't stop soon I will most definitely be changing my email addresses.

 

The vast majority of Android users have 5 apps on their phone max, use Google Play and have little need to be concerned about the issue. 

post #18 of 245
Buy iOS and OS X!!!
post #19 of 245
Quote:
Originally Posted by emig647 View Post

The curious part of me wonders how they're going to implement a security fix with so much fragmentation.

They won't! At least not one that will make it to phones.
post #20 of 245
"Rogue Developers", classic. It's right up there with "Ancient Astronaut Theorists".
post #21 of 245
Quote:
Originally Posted by CustomTB View Post


They won't! At least not one that will make it to phones.

 

According to koop it's already been addressed.  I hope they do something at the OS level for those that they can in additional to the Play Store fix.

 

 

Quote:
Originally Posted by iSteelers View Post

"Rogue Developers", classic. It's right up there with "Ancient Astronaut Theorists".

 

The contempt and distrust for 3rd party devs at this site really amazes me.  Especially considering there are many members here who are 3rd party devs themselves.

post #22 of 245
Quote:
Originally Posted by koop View Post

"Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app stores application entry process in order to block apps that contain this problem"

--

So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.

 

If nobody "sideloads" apps, then why do Android proponents cite it as a primary feature of the platform? 

 

Also, 2% of statistics unfavorable to one's personal wishes are just pulled from your ass, apparently.

post #23 of 245
Quote:
Originally Posted by koop View Post

 

The only one people use and care about. Amazon is the next best one. 

 

I'm willing to bet 95% of Android users don't even know they can side load applications and will always be getting apps strictly from the Google Play store. As much as Apple users gloat about being walled in (I don't mind it myself) and that's secure, most best selling Android phones in their default settings are fairly locked down out of the box. Mostly the tech heads remove those restrictions, and it's on them to be careful about non-curated software. 

 

Again, AI glossed over the fact that those who strictly use Google Play (almost everyone) will not be bothered by this issue. Any infection will require social engineering, which is a user error more than anything. 

 

But that isn't true.

 

"if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play"

 

Imagine how easy it would be to send out update notices for Facebook that install a new version of the app that looks to the system like the one it "securely" installed via Google Play. Broken. This is a real issue, and its not easy to solve. Curious why you're so interested in nobody hearing about it. Security through obscurity? Market share through incompetent dumping?

 

Also: putting one's head in the sand and saying there is no malware problem didn't work for Windows XP a decade ago. 


Edited by Corrections - 7/3/13 at 4:48pm
post #24 of 245
Go figure apple has a minor pass code bypass hack that requires access to the device and the press flips out... But android has a gainer ability that allows people to literally steal your device right out from under your nose and people see not to care... Wtf
post #25 of 245

Not sure why some people play this issue down and claim that using Google Play is safe. It's not at all, read the article.

 

Yes, it does at some point refer to manufacturer apps, however it doesn't mean that only such apps can cause harm. It merely means that such apps tend to have privileges within the system that go beyond the permissions regular store apps have.

 

That doesn't man that no other app can be malicious, in fact they can and they can be just as severe, depending on the permissions the application in question requires. This is a HUGE deal.

post #26 of 245
Are they talking about the app signing spoof that basically all of xda uses to get apps that don't work on certain phones (Google Wallet) to load? If so, this is a non-story and like someone said above, it doesn't affect the average consumer or the tech savvy rooters.
post #27 of 245
So - according to this, I have to load a compromised app (an app originally signed and distributed by a legitimate developer, then compromised by a rogue). Can someone explain how this is supposed to happen via the app store? Doesn't seem likely. Seems more likely to happen if the user downloads and then sideloads such a rogue/hacked app.

"However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything."
post #28 of 245

Does this affect all of the new Gingerbread phones? 

post #29 of 245
Sounds like if you go Android it would be a good idea to go with a late model Google made phone or at least the S4 special & others that are being offered with the pure Android operating system
post #30 of 245
Quote:
Originally Posted by koop View Post

 

The vast majority of Android users have 5 apps on their phone max, use Google Play and have little need to be concerned about the issue. 

No the vast majority of Android users can't even use Google Play. These are the ones Google doesn't count anymore to make their fragmentation look better.  Their super cool tech friends tell them where to go to get the best apps free because they don't want to pay for anything.  

post #31 of 245
That's one way to get them to upgrade to a new version...
post #32 of 245
Quote:
Originally Posted by Macky the Macky View Post

To all the Walled Garden Apple-hating idiots; welcome to the wide-assed open Android OS where free malware abounds. 

 

I've been waiting for this day, for it was sure to come. Now, 900 million Android customers are re-thinking their earlier choice. I'd not be surprised if Apple sales sees a surge that would put the Sandy hurricane to shame... The new iPhones can't get here soon enough...!!!

 

I doubt that 5% are rethinking this as most of them purchased this Feature-Smart phone just for a phone and know no better. 

post #33 of 245
Quote:
Originally Posted by mrrodriguez View Post

Are they talking about the app signing spoof that basically all of xda uses to get apps that don't work on certain phones (Google Wallet) to load? If so, this is a non-story and like someone said above, it doesn't affect the average consumer or the tech savvy rooters.

If this is the same thing that APKTool does then that would mean this is just sensationalist "journalism.". Surely DED would never take part in such activities just to make Android look bad.
post #34 of 245
Quote:
Originally Posted by Corrections View Post

 

If nobody "sideloads" apps, then why do Android proponents cite it as a primary feature of the platform? 

 

Also, 2% of statistics unfavorable to one's personal wishes are just pulled from your ass, apparently.

 

Correct. Go to any tech blog where Android sycophants hang out and they'll be happy to tell you that the ability to root and side load apps is what makes Android so "popular" with the masses. It's all about openness and freedom to do whatever you want, they say. Now we have an Android apologist claiming otherwise.

post #35 of 245
Quote:
Originally Posted by Everett Ruess View Post

Sounds like if you go Android it would be a good idea to go with a late model Google made phone or at least the S4 special & others that are being offered with the pure Android operating system

 

The "pure Android" Google Nexus models have not been updated yet. Google has known about it since February. That's four months of being quiet about a serious security vulnerability.

 

On an "open" platform.

post #36 of 245

Unlikely to affect the majority of Android "users"... 

 

 

1smoking.gif

If you value privacy you can now set DuckDuckGo as your default search engine in iOS and OS X.
Reply
If you value privacy you can now set DuckDuckGo as your default search engine in iOS and OS X.
Reply
post #37 of 245

Wow! Reading comprehension goes out the window when you're blinded by bias.

 

Anyone who thinks this is a minor threat really needs to get their head examined. This vulnerability affects ALL apps in so much that any UPDATE made to that app regardless of where it was originally installed, can potentially be infected without the operating system knowing. Obviously any curated app store will be immune to this if they are diligent in checking for malware. But a user tricked into an update from another source is at risk and this is the real problem as most users aren't aware of what's happening... this was the biggest problem with most Windows epidemics; clueless users clicking things they shouldn't.

 

A user could go to a website that's been hacked and a message pops up that looks like a system message, saying something like...

 

"There is a new version of the Calculator app... Would you like to update?"

 

Well, how threatening is a calculator app... not at all, most people who didn't realize what was happening would probably click Yes. Then their device would be infected. The same thing could happen from an official looking email.


Edited by mjtomlin - 7/3/13 at 5:27pm
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
Disclaimer: The things I say are merely my own personal opinion and may or may not be based on facts. At certain points in any discussion, sarcasm may ensue.
Reply
post #38 of 245
Quote:
Originally Posted by lkrupp View Post

 

Correct. Go to any tech blog where Android sycophants hang out and they'll be happy to tell you that the ability to root and side load apps is what makes Android so "popular" with the masses. It's all about openness and freedom to do whatever you want, they say. Now we have an Android apologist claiming otherwise.

 

The fact that you have come across an abundance of tech nerds frequenting tech blogs doesn't surprise me.  Of course they're going to say that it's a hugely popular feature because in their circle it is.  I'm a tech nerd and I love that I can root and side load apps.  If I had an iPhone I'd jailbreak it and sideload the occasional app too.  Not much difference in that department.

post #39 of 245
Quote:
Originally Posted by GTR View Post

Unlikely to affect the majority of Android "users"... 

 

 

1smoking.gif

I wonder what's going to happen with regards to returns once this news gets widely distributed around the world in local newspapers and TV?

post #40 of 245
Quote:
Originally Posted by DroidFTW View Post

 

The fact that you have come across an abundance of tech nerds frequenting tech blogs doesn't surprise me.  Of course they're going to say that it's a hugely popular feature because in their circle it is.  I'm a tech nerd and I love that I can root and side load apps.  If I had an iPhone I'd jailbreak it and sideload the occasional app too.  Not much difference in that department.

The number of people actually rooting their system, etc. is very small, but I think those kind of geeks collect devices so they represent a lot of sales in units.  The average person doesn't have or want to spend time being a phone geek, they have other things to do with their life than geeking out with a smartphone.

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
  • Security flaw opens all modern Android devices to "zombie botnet" takeover [u]
AppleInsider › Forums › Mobile › iPhone › Security flaw opens all modern Android devices to "zombie botnet" takeover [u]