A vulnerability in the Android operating system lets attackers take an existing app, inject malicious code, and repackage it in such a way that it can pretend to be the original app. Should you be worried?
Researchers at Bluebox Security found the flaw in the way cryptographic signatures for apps are verified, Jeff Forristal, CTO of Bluebox, wrote on the company blog July 3. This means attackers could modify the app without changing its cryptographic signature, Forristal said.
The flaw has been around since Android 1.6 ("Donut") and made "99 percent" of devices, or "any Android phone released in the last four years" vulnerable to attack, Forristal claimed.
The scary scenario goes something like this: a legitimate app (for example, a Google app) is modified to steal passwords or connect the device to a botnet and released for users to download. Since both apps have the same digital signature, it will be difficult for users to know which is real and which is fake.
Well, not really.
Am I in Danger?
Google updated Google Play so that there are checks in place to block any malicious apps using this exploit to masquerade as some other app.
If you install apps and updates from Google Play, then you are not at risk from this exploit, since Google has taken steps to secure the app marketplace. If you do download apps from third-party marketplaces, even semi-official ones such as Samsung and Amazon app stores, then you are at risk. For the time being, it may be worth holding off on using those marketplaces.
Google recommends that users stay away from third-party Android app markets.
What Else Can I Do?
It's also important to remember that you should always look at who the developer is. Even if a Trojanized app does make it through Google Play, or if you are on a different app store, the app won't be listed under the original developer. For example, if attackers repackage Angry Birds using this vulnerability, the new version would not be listed under Rovio's account.
If you want to make sure you can't install apps from third-party sources, go into Settings > Security and make sure the checkbox for installing apps from "unknown sources" is not checked.
If you have the latest version of Android, then you are also protected by the built-in app-scanning system as it scans apps that came from sources other than Google Play. That means even if you mistakenly install a bad app, your phone could still block the malicious code.
There are also security apps for Android which can detect malicious behavior and alert you about the offending app. PCMag recommends our Editors' Choice Bitdefender Mobile Security.
Is an Attack Likely?
"Just because the 'master key' has not yet been exploited, doesn't mean we can rest on our laurels," Grayson Milbourne, security intelligence director at Webroot, told SecurityWatch. Mobile security should be about protecting the device from all sidesidentity protection to protect passwords and other personal information, blocking malware and malicious-apps, and being able to find the device if it is lost or stolen, Milbourne said.
Bluebox reported the flaw to Google back in February and Google has already pushed out a patch to its hardware partners in the Open Handset Alliance. Several handset manufacturers have already released patches to fix the problem. The carriers now have to push the fix down to their end users.
"It's up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates)," Forristal said. Bluebox plans to reveal more details during the Black Hat conference in Las Vegas at the end of this month.
Pau Oliva Fora, an engineer with mobile security company viaForensics, posted a proof of concept exploiting the vulnerability on github July 8. Fora created the shell script after reading details of the bug posted by the Cyanogenmod team. Cyanogenmod is a popular version of Android that users can install onto their devices. The team has already patched the flaw.
If you are among the lucky few users who receive an Android update from your carrier, make sure you download and install it right away. Even if the risks are low, updating the OS is just plain good security sense.
0 comments:
Post a Comment