Security flaw opens all modern Android devices to "zombie botnet" takeover [u]
A newly discovered flaw in Google's Android security model enables rogue apps to gain full access to the Android system and all installed apps, read all data on the device, harvest passwords and create a botnet of "always-on, always-connected and always-moving" spy devices tracking users' location while secretly recording.
The far reaching vulnerability, discovered by San Francisco's Bluebox Security, involves "discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature."
Android apps (packaged as an "APK") are signed with an encryption key (just like iOS apps) to prevent a malicious party from changing the code. Signed apps are expressly designed to enable the system to detect any tampering or modification.
However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything.
"A device affected by this exploit could do anything in the realm of computer malice, including become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device," a representative of the company wrote AppleInsider.
A compromised app exploiting the vulnerability can take the appearance of a legitimate app that has been given wide access to system resources. Bluebox notes that many of Android licensees' own apps (such as those from HTC, Samsung, Motorola or LG) as well as many VPN apps (such as Cisco's AnyConnect) are customarily "granted special elevated privileges within Android ? specifically System UID access."
After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain "full access to Android system and all applications (and their data) currently installed."
This means the app subsequently "not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)."
Bluebox adds, "finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."
So far, Android licensees have been extremely slow to roll out any updates for their users, often refusing to bother with distributing even significant security patches.
Android's unaddressed security lapses have helped make it the world's leading mobile platform for malware, a problem many of its supporters simply refused to acknowledge. However, this new vulnerability means puts Android users at even more risk, because now they can't even trust apps signed by a legitimate developer.
As security firm F-Secure noted in May, "the Android malware ecosystem is beginning to resemble to that which surrounds Windows."
Bluebox will be detailing the vulnerability in a Black Hat USA 2013 session by its chief technology officer Jeff Forristal.
"Google declined to comment on the matter," the report added. "The Open Handset Alliance did not respond to a request for comment."
However, Google has blocked distribution of apps exploiting the flaw in Google Play, although if user to is tricked into manually installing a malicious update "for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store."
Addressing the issue of updating the hundreds of millions of Android devices that have already been sold, Computerworld observed, "the slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users.
"Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws."
The far reaching vulnerability, discovered by San Francisco's Bluebox Security, involves "discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature."
"A device affected by this exploit could ...become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device."
Android apps (packaged as an "APK") are signed with an encryption key (just like iOS apps) to prevent a malicious party from changing the code. Signed apps are expressly designed to enable the system to detect any tampering or modification.
However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything.
"A device affected by this exploit could do anything in the realm of computer malice, including become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device," a representative of the company wrote AppleInsider.
Affects everything Android, in a big way
The flaw has been in place since the release of Android 1.6 "Donut," meaning it affects virtually all Android devices sold in over the last four years, essentially all of the installed base of Android devices: Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich and Jelly Bean.A compromised app exploiting the vulnerability can take the appearance of a legitimate app that has been given wide access to system resources. Bluebox notes that many of Android licensees' own apps (such as those from HTC, Samsung, Motorola or LG) as well as many VPN apps (such as Cisco's AnyConnect) are customarily "granted special elevated privileges within Android ? specifically System UID access."
"most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."
After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain "full access to Android system and all applications (and their data) currently installed."
This means the app subsequently "not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)."
Bluebox adds, "finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."
A big flaw to fix, requiring 900 million firmware updates
Bluebox disclosed the vulnerability to Google and members of the Open Handset Alliance in February 2013, but the firm notes that "it?s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.""The Android malware ecosystem is beginning to resemble to that which surrounds Windows."
So far, Android licensees have been extremely slow to roll out any updates for their users, often refusing to bother with distributing even significant security patches.
Android's unaddressed security lapses have helped make it the world's leading mobile platform for malware, a problem many of its supporters simply refused to acknowledge. However, this new vulnerability means puts Android users at even more risk, because now they can't even trust apps signed by a legitimate developer.
As security firm F-Secure noted in May, "the Android malware ecosystem is beginning to resemble to that which surrounds Windows."
Bluebox will be detailing the vulnerability in a Black Hat USA 2013 session by its chief technology officer Jeff Forristal.
Partial containment, Google not open to talking about it
Update: a report by Computerworld notes that Samsung has included a patch rectifying the issue for one device: its flagship Galaxy S4. The article noted Forristal as saying that "Google has not released patches for its Nexus devices yet, but the company is working on them.""Google declined to comment on the matter," the report added. "The Open Handset Alliance did not respond to a request for comment."
However, Google has blocked distribution of apps exploiting the flaw in Google Play, although if user to is tricked into manually installing a malicious update "for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store."
Addressing the issue of updating the hundreds of millions of Android devices that have already been sold, Computerworld observed, "the slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users.
"Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws."
Comments
@hydr - Completely agree. There will always be a way here to get access to data.
The curious part of me wonders how they're going to implement a security fix with so much fragmentation.
To all the Walled Garden Apple-hating idiots; welcome to the wide-assed open Android OS where free malware abounds.
I've been waiting for this day, for it was sure to come. Now, 900 million Android customers are re-thinking their earlier choice. I'd not be surprised if Apple sales sees a surge that would put the Sandy hurricane to shame... The new iPhones can't get here soon enough...!!!
--
So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.
From the source article:
Quote:
"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."
Doesn't this mean this story is basically non-issue? I could be wrong, but the article implies that the rogue application has to come from HTC or Samsung, not from Google Play.
Certainly more concerning then the Apple charger exploit that was recently discovered that effects all devices running iOS. At least with the charger exploit an attacker has to have physical access to your device.
Hopefully fixes for both get pushed through so we can all be a little safer.
Quote:
"Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store%u2019s application entry process in order to block apps that contain this problem"
--
So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.
Quote:
From the source article:
Quote:
"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."
Doesn't this mean this story is basically non-issue? I could be wrong, but the article implies that the rogue application has to come from HTC or Samsung, not from Google Play.
Is Google Play the only app store for Android?
Quote:
Originally Posted by avium
Is Google Play the only app store for Android?
There are countless app stores. The Play store and Amazon's app store are the only ones worth using in the US though. The rest are sub-par and usually offer the same apps that one can find in the Play store anyways.
Quote:
Originally Posted by avium
Is Google Play the only app store for Android?
The only one people use and care about. Amazon is the next best one.
I'm willing to bet 95% of Android users don't even know they can side load applications and will always be getting apps strictly from the Google Play store. As much as Apple users gloat about being walled in (I don't mind it myself) and that's secure, most best selling Android phones in their default settings are fairly locked down out of the box. Mostly the tech heads remove those restrictions, and it's on them to be careful about non-curated software.
Again, AI glossed over the fact that those who strictly use Google Play (almost everyone) will not be bothered by this issue. Any infection will require social engineering, which is a user error more than anything.
The fact of the matter is that the vast majority of Android users will not even read about this, and they'll go about life blissfully unaware of an exploit on their device. Most of this vast majority won't even bother to update their phones to remove/block the exploit.
I've been getting lots of spam recently plus legit emails from sites I have never visited -- narrowed it down to two people's computers/phones which were compromised. If the spam doesn't stop soon I will most definitely be changing my email addresses.
Oh boy. If you're going to be a paid shill, at least take the trouble to write decent English and punctuate a bit better?
No worries, android users can hack into their phones and repair the security flaws themselves.
Quote:
Originally Posted by sip
The fact of the matter is that the vast majority of Android users will not even read about this, and they'll go about life blissfully unaware of an exploit on their device. Most of this vast majority won't even bother to update their phones to remove/block the exploit.
I've been getting lots of spam recently plus legit emails from sites I have never visited -- narrowed it down to two people's computers/phones which were compromised. If the spam doesn't stop soon I will most definitely be changing my email addresses.
The vast majority of Android users have 5 apps on their phone max, use Google Play and have little need to be concerned about the issue.
They won't! At least not one that will make it to phones.