Security flaw opens all modern Android devices to "zombie botnet" takeover [u]

Posted:
in iPhone edited January 2014
A newly discovered flaw in Google's Android security model enables rogue apps to gain full access to the Android system and all installed apps, read all data on the device, harvest passwords and create a botnet of "always-on, always-connected and always-moving" spy devices tracking users' location while secretly recording.

Android security flaw


The far reaching vulnerability, discovered by San Francisco's Bluebox Security, involves "discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.""A device affected by this exploit could ...become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device."

Android apps (packaged as an "APK") are signed with an encryption key (just like iOS apps) to prevent a malicious party from changing the code. Signed apps are expressly designed to enable the system to detect any tampering or modification.

However, due to the newly discovered Android flaw, a rogue developer can trick the system into thinking that a compromised app is still legitimate, giving it system wide access to do virtually anything.

"A device affected by this exploit could do anything in the realm of computer malice, including become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device," a representative of the company wrote AppleInsider.

Affects everything Android, in a big way

The flaw has been in place since the release of Android 1.6 "Donut," meaning it affects virtually all Android devices sold in over the last four years, essentially all of the installed base of Android devices: Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich and Jelly Bean.

Mobile OS installed base stats


A compromised app exploiting the vulnerability can take the appearance of a legitimate app that has been given wide access to system resources. Bluebox notes that many of Android licensees' own apps (such as those from HTC, Samsung, Motorola or LG) as well as many VPN apps (such as Cisco's AnyConnect) are customarily "granted special elevated privileges within Android ? specifically System UID access.""most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain "full access to Android system and all applications (and their data) currently installed."

This means the app subsequently "not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)."

Bluebox adds, "finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

A big flaw to fix, requiring 900 million firmware updates

Bluebox disclosed the vulnerability to Google and members of the Open Handset Alliance in February 2013, but the firm notes that "it?s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.""The Android malware ecosystem is beginning to resemble to that which surrounds Windows."

So far, Android licensees have been extremely slow to roll out any updates for their users, often refusing to bother with distributing even significant security patches.

Android's unaddressed security lapses have helped make it the world's leading mobile platform for malware, a problem many of its supporters simply refused to acknowledge. However, this new vulnerability means puts Android users at even more risk, because now they can't even trust apps signed by a legitimate developer.

As security firm F-Secure noted in May, "the Android malware ecosystem is beginning to resemble to that which surrounds Windows."

Bluebox will be detailing the vulnerability in a Black Hat USA 2013 session by its chief technology officer Jeff Forristal.

Partial containment, Google not open to talking about it

Update: a report by Computerworld notes that Samsung has included a patch rectifying the issue for one device: its flagship Galaxy S4. The article noted Forristal as saying that "Google has not released patches for its Nexus devices yet, but the company is working on them."

"Google declined to comment on the matter," the report added. "The Open Handset Alliance did not respond to a request for comment."

However, Google has blocked distribution of apps exploiting the flaw in Google Play, although if user to is tricked into manually installing a malicious update "for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store."

Addressing the issue of updating the hundreds of millions of Android devices that have already been sold, Computerworld observed, "the slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users.

"Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws."
«13456714

Comments

  • Reply 1 of 275
    hydrhydr Posts: 146member
    When your agenda is to collect as much information about users as possible, security will never be prioritized.
  • Reply 2 of 275
    fuwafuwafuwafuwa Posts: 163member
    That's Android for you.
  • Reply 2 of 275
    emig647emig647 Posts: 2,416member


    @hydr - Completely agree. There will always be a way here to get access to data. 


     


    The curious part of me wonders how they're going to implement a security fix with so much fragmentation.

  • Reply 4 of 275
    koopkoop Posts: 337member
    Oh it's another Android article with "that graph" they've put up to remind you that Apple belongs somewhere in the conversation.
  • Reply 5 of 275


    To all the Walled Garden Apple-hating idiots; welcome to the wide-assed open Android OS where free malware abounds. 


     


    I've been waiting for this day, for it was sure to come. Now, 900 million Android customers are re-thinking their earlier choice. I'd not be surprised if Apple sales sees a surge that would put the Sandy hurricane to shame... The new iPhones can't get here soon enough...!!!

  • Reply 6 of 275
    stniukstniuk Posts: 90member
    Since Google is one of the worse offenders in collecting data it's not surprising they have not spotted this.
  • Reply 7 of 275
    koopkoop Posts: 337member
    "Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app stores application entry process in order to block apps that contain this problem"

    --

    So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.
  • Reply 8 of 275
    negafoxnegafox Posts: 480member


    From the source article:


    Quote:


    "Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."



    Doesn't this mean this story is basically non-issue? I could be wrong, but the article implies that the rogue application has to come from HTC or Samsung, not from Google Play.

  • Reply 9 of 275
    droidftwdroidftw Posts: 1,009member


    Certainly more concerning then the Apple charger exploit that was recently discovered that effects all devices running iOS.  At least with the charger exploit an attacker has to have physical access to your device.


     


    Hopefully fixes for both get pushed through so we can all be a little safer.

  • Reply 10 of 275
    aviumavium Posts: 7member


     


    Quote:


    "Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store%u2019s application entry process in order to block apps that contain this problem"



    --



    So this effects all the Android users who root and side load apps. Lets forget for a second most of those users are smart enough to manage their device security without hand holding, and say this is a whopping 2% of the market...maybe. Thanks for the scary headline I guess.



     


    Quote:



    From the source article:


    Quote:


    "Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed."



    Doesn't this mean this story is basically non-issue? I could be wrong, but the article implies that the rogue application has to come from HTC or Samsung, not from Google Play.




     


    Is Google Play the only app store for Android?

  • Reply 11 of 275
    droidftwdroidftw Posts: 1,009member

    Quote:

    Originally Posted by avium View Post


     


    Is Google Play the only app store for Android?



     


    There are countless app stores.  The Play store and Amazon's app store are the only ones worth using in the US though.  The rest are sub-par and usually offer the same apps that one can find in the Play store anyways.

  • Reply 12 of 275
    dreyfus2dreyfus2 Posts: 1,071member
    Most amazing is not this story (it was only a matter of time, DED called Android an amateur OS for a reason). What is amazing is that you can check any Android-hangout, from Android Central to the Verge's Android page to engadget to gizmodo... There seems to be no demand to even alert users about this. Not one mention anywhere.
  • Reply 13 of 275
    koopkoop Posts: 337member

    Quote:

    Originally Posted by avium View Post


     


    Is Google Play the only app store for Android?



     


    The only one people use and care about. Amazon is the next best one. 


     


    I'm willing to bet 95% of Android users don't even know they can side load applications and will always be getting apps strictly from the Google Play store. As much as Apple users gloat about being walled in (I don't mind it myself) and that's secure, most best selling Android phones in their default settings are fairly locked down out of the box. Mostly the tech heads remove those restrictions, and it's on them to be careful about non-curated software. 


     


    Again, AI glossed over the fact that those who strictly use Google Play (almost everyone) will not be bothered by this issue. Any infection will require social engineering, which is a user error more than anything. 

  • Reply 14 of 275
    sipsip Posts: 210member


    The fact of the matter is that the vast majority of Android users will not even read about this, and they'll go about life blissfully unaware of an exploit on their device. Most of this vast majority won't even bother to update their phones to remove/block the exploit.


     


    I've been getting lots of spam recently plus legit emails from sites I have never visited -- narrowed it down to two people's computers/phones which were compromised. If the spam doesn't stop soon I will most definitely be changing my email addresses.

  • Reply 15 of 275
    anantksundaramanantksundaram Posts: 19,416member
    droidftw wrote: »
    Certainly more concerning then the Apple charger exploit that was recently discovered that effects all devices running iOS.  At least with the charger exploit an attacker has to have physical access to your device.

    Hopefully fixes for both get pushed through so we can all be a little safer.

    Oh boy. If you're going to be a paid shill, at least take the trouble to write decent English and punctuate a bit better?
  • Reply 16 of 275
    jungmarkjungmark Posts: 6,719member
    The benefits of "open".

    No worries, android users can hack into their phones and repair the security flaws themselves.
  • Reply 17 of 275
    koopkoop Posts: 337member

    Quote:

    Originally Posted by sip View Post


    The fact of the matter is that the vast majority of Android users will not even read about this, and they'll go about life blissfully unaware of an exploit on their device. Most of this vast majority won't even bother to update their phones to remove/block the exploit.


     


    I've been getting lots of spam recently plus legit emails from sites I have never visited -- narrowed it down to two people's computers/phones which were compromised. If the spam doesn't stop soon I will most definitely be changing my email addresses.



     


    The vast majority of Android users have 5 apps on their phone max, use Google Play and have little need to be concerned about the issue. 

  • Reply 18 of 275
    danoxdanox Posts: 387member
    Buy iOS and OS X!!!
  • Reply 19 of 275
    customtbcustomtb Posts: 336member
    emig647 wrote: »
    The curious part of me wonders how they're going to implement a security fix with so much fragmentation.

    They won't! At least not one that will make it to phones.
  • Reply 20 of 275
    isteelersisteelers Posts: 738member
    "Rogue Developers", classic. It's right up there with "Ancient Astronaut Theorists".
Sign In or Register to comment.