A weakness in the Android security model that validates mobile applications could be used by an attacker to turn a legitimate Android app into a dangerous attack platform, according to a security firm that discovered the vulnerability.
The weakness, discovered by San Francisco-based mobile security startup Bluebox Security, was reported to Google (NSDQ:GOOG)and has been corrected, but the firm said millions of Android devices remain vulnerable. The flaw enables an attacker to bypass the Google Play security mechanism designed to review changes to applications before they are sent to users.
Bluebox Chief Technology Officer Jeff Forristal will present the details of the vulnerability later this month at the 2013 Black Hat conference in Las Vegas.
The Android flaw, which has been in the firmware since 2009, enables an attacker to modify the mobile application code without breaking its cryptographic signature, wrote Forristal. In an alert to Android owners last week, Forristal said application changes could be made without being noticed by the app store, device or end user.
“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” Forristal wrote.
Digital signatures are used by both Google and Apple to determine the validity of a mobile application. The flaw enables the digital signature to remain intact even if modifications are made, Forristal said. Bluebox showed a screenshot of an HTC device showing how the manufacturer’s software can be modified to access all permissions on the device.
An attacker can program a legitimate app to make phone calls and record them, send text messages or turn on the camera. “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Forristal wrote.
Millions of mobile phones could continue to be at risk because security updates pushed out by Google must go to individual handset makers before being pushed out to device owners through their mobile carrier.
Breaking or cheating the cryptographic signature used to validate applications is a potentially serious issue opening up device owners to a wealth of serious problems, said Cameron Camp, a security researcher, at Bratislava, Slovakia-based antivirus vendor ESET. Code signing and application isolation or sandboxing are among the security measures used to make mobile devices safer.
“If you can break the crypto or cheat the crypto into thinking it’s something that it’s not then that is a dangerous problem,” Camp said.
Google did not respond to a request from CRN for comment. The company has reportedly updated its official app store, Google Play, to thwart attempts to cheat the app verification process. But Camp said mobile malware writers bypass Google altogether, getting malicious applications onto devices by using third-party app stores.
Android malware has increased significantly, with more than 92 percent of mobile malware targeting the platform, according toJuniper Networks (NSDQ:JNPR), which released its annual mobile threat report last week. Other reports found a precipitous increase in mobile attacks targeting Android devices. Google has been adding improvements, Camp said, including the addition of Bouncer, a malware scanner that vets apps before they are officially released to Android device owners.
“There are still an awful lot of apps to be analyzing on a daily basis, so determining with any degree of assurance that no malicious code out there is going to be difficult,” Camp said.