Another security warning for Android powered devices

[dgstorm]

News is quickly spreading across the Internet of another potential security threat to Android devices.

The BBC covered it by saying:

"A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system released since 2009.

Google said it currently had no comment to make on BlueBox's discovery."

The Huffington Post, went on to report that...

"The method demonstrated by Bluebox would let app developers modify an update to a legitimate app to look like a system file, which can then be used to take control of a phone. With the right signature disguising its real motives, the update could log passwords, credit card information, photos, emails - essentially anything on your mobile device.

"The implications are huge," Bluebox explains on its website.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

Meanwhile, Ars Technica have also covered the story...

While it would be devastating if an attacker was able to get such a modified APK into the Google Play Store, or somehow use the technique to hijack the update mechanism of legitimate apps, there are probably safeguards already in place to prevent such attacks.

"I imagine that Google would move quickly to add some logic to look for such attacks," Dan Wallach, a professor specializing in Android security in the computer science department of Rice University, told Ars. "Without that available to an attacker, this is likely to only be relevant for Android users who use third-party app stores (which have lots of other problems). This bug could also be valuable for users trying to 'root' their phones."

Blue box researchers privately reported the vulnerability to Google in February.

So, while this would appear to have the potential to be a problem, there is a lot of difference between "potential" and "actual".

What is your take on this latest security story?

As originally posted by janner43 @TransformerForums.com.

 

[SEMIJim]

So, while this would appear to have the potential to be a problem, there is a lot of difference between "potential" and "actual".

Not really. If the vulnerability exists, it's a problem.

What is your take on this latest security story?

Personally, it's merely one more example of one of the reasons I don't own a "smart" phone: I don't trust the security of Android devices in the least.

What will be truly amusing is to watch how few existing Android devices get this hole closed. I'm guessing only a very small fraction.

Some tech. security type once referred to Android as "the new Windows." I think that's giving the Android ecosystem too much credit.

Jim

 

[Mrhelper]

Dgstorm,

Thanks for the writeup and practical assessement. While there is no such thing as a completely secure computer system, especially as long as humans are involved, Android is still one of the best, and elements of the well partitioned Android security strategy are still setting a great example for other OS vendors.

Google is already scanning for the attack, so apps from Play Store will not be vectors for this attack, whether your device gets an OS patch for this or not. If you obtain apps from reliable sources you will probably not be affected by this.

It is not a problem then for those of us who are cautious. Those who are less cautious by failing to use safe software sources, neglecting backups, using weak passwords, etc., will tend to sabotage their own systems and online security regardless of the OS. Overall, careless computing habits tend to do more damage to personal computing devices than the worst of the vulnerability exploits.