Security flaw affects 99 percent of Android phones: report

A security research firm discovered a software flaw that it says has gone unnoticed for years.

|
Paul Sakuma/ AP Photo/ File
An Android display at the Google Input/Output conference in San Francisco during which Google showcased the latest mobile devices running on its Android software. Security research firm Bluebox recently announced that a flaw in the Android software left 99 percent of Android phones vulnerable to malware attacks.

A security research firm discovered a flaw in Android phone operating system that would allow hackers to modify a regular application into a malicious one completely undetected by smart phone users, the app seller, or the service provider.

According to Bluebox Security, the scope of the problem is enormous: It affects 99 percent of Android users.

This security flaw allows hackers to modify a smart phone application's package file, or APK code, without breaking the app’s cryptographic signature, according to the Bluebox report. Applications are usually recognized by their digital signatures, or cryptographic code, but this recently discovered security glitch revealed that the app’s contents could be changed without changing its cryptography.

These types of nefarious applications are referred to as “Trojans," and they work in a way that the literary allusion implies: Users think they are getting an app, but unbeknownst to them, the app is filed with destructive capabilities. 

“The implications are huge,” according to Bluebox Security’s report. This vulnerability to Trojan apps has been around since the release of the Android 1.6, and “could affect any Android phone released in the last 4 years – nearly 900 million devices.” Depending on the type of app, a hacker can exploit the smart phone's data. This means that personal information such as e-mail, text messages, passwords, and the phone’s location would all be accessible to the hacker, and could be used for anything from data theft to the creation of a mobile botnet. (Botnets are a network of computers infected with malicious software that causes them to perform automated tasks over the Internet, undetected by the user). 

Part of the difficulty in regulating malicious applications is that there are so many different application developers: smart phone manufactures that use the Android operating system (such as HTC, Samsung, Motorola, and LG), third-party device manufacturers (such as Cisco and AnyConnect VPN), as well as civilian app developers.

Apple cut deals with service providers to make the newest version of its operating system available to customers as soon as it is released. In contrast, Android lets carriers decide when to offer updates to the operating system. And an older operating system means that there is a greater chance of vulnerabilities to malware.

Google has been working with Bluebox since February 2013 when the security company discovered the software flaw. Since the program is so wide-spread, and the malware has such potential to do harm, Google will likely encourage its service providers to quickly release a new Android operating system, says Bluebox founder Adam Ely.  

Both Google and Bluebox kept quiet about their efforts to correct the security flaw, says Mr. Ely. “If you warn the consumers about the malicious ware, its writers will also be tipped off.”

Right now, there are two control points to protect consumers: the Google Play app store, and the smart phone device manufacturers, Ely explains. But, he warns, there is still a possibility of downloading malware when updating older apps, or downloading bootleg versions.  

There have not been any known cases of hackers using this kind of Trojan application to hack into Android phones, but that doesn't mean that it's out of the realm of possibilities, Ely says. He gave the example of a fake Jay Z app that smart phone users downloaded in anticipation of the artist's new album. Instead of information about the album, it released an anti-Obama message on July 4th. Irritating, but harmless in comparison to what hackers could have done to consumers' smart phones when they downloaded a fake app.

Additional details about the security issue will be released during the Black Hat USA 2013 security conference on August 1. 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Security flaw affects 99 percent of Android phones: report
Read this article in
https://www.csmonitor.com/Technology/2013/0705/Security-flaw-affects-99-percent-of-Android-phones-report
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe