A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app’s cryptographic signature—an action that would normally set off a red flag that something is amiss.
Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said.
The risk to corporate users and consumers is varied. At a minimum, an Android device would be jailbroken. At worst, an attacker could inject a legitimate application with malware that could enable the attacker to read corporate data such as email, make phone calls, send SMS messages, or even retrieve passwords and account information.
The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected.
Applications are digitally signed to establish or confirm the identity of the developer; the digital signatures also ensure that any future updates are issued only by the application’s developer.
“We are able to modify executing code in the APK that is installed. That is normally a red flag because that would break the signature,” Forristal said. “We can do it by not breaking the signature. We have the ability to update any application on a phone and get access to data. We can make a malicious Facebook update by inserting Trojan code into a real one without breaking Facebook’s signature.”
Compounding the issue is the fact that applications developed and pre-installed by handset manufacturers that are platform-signed are granted system level access, one layer away from root access, Forristal said.
“If you can get your hands on a platform-issued application, you can get full access to the system and that includes applications, accounts, passwords—everything the OS is in charge of handling,” Forristal said. “If you can be signed with the same signature, you’re considered part of the OS.
“The vulnerability is across generations and it’s architecture agnostic—it doesn’t matter,” Forristal said. “All you need basically is an app that is platform-signed, Trojan the code and take over the device.”
Forristal said that Google has taken measures to protect applications in the Google Play store so that they’re not vulnerable to exploit. That, however, does not apply to third-party locations hosting APKs for download, or APKs that are exchanged via email or FTP, for example.
“Users need to be cognizant of the source of applications they’re installing and trustworthiness of the source of APKs if they’re not installing from Google Play,” Forristal said. “If you don’t know where the APK came from, it’s no different than grabbing .exes from the Net. Make sure you’re not using apps from untrusted sources and stick to Google Play; Google mentioned it has inoculated Google Play looking for applications using this bug and those should not appear in Google Play.”
While the vulnerability is serious and widespread, Forristal said the fix is relatively painless.
“It’s a very small fix; I have multiple devices in front of me that have it patched,” he said. “The fix is two lines of code in a very specific location. It requires a firmware update to the device, but fixing the bug is simple. It’s more complicated to issue a firmware update.”
Carriers and handset makers are under fire, however, for their lack of feature updates and security patches for Android devices. HTC America reached a settlement with the Federal Trade Commission in February that mandated not only timely updates for its Android devices, but the establishment of a security program, security training for its developers and the establishment of a mechanism for reporting vulnerabilities to the manufacturer.
Then in April, the American Civil Liberties Union filed a complaint with the FTC asking the commission to investigate the four leading wireless carriers: Verizon; AT&T; Sprint Nextel; and TMobile. The complaint charged the carriers with knowingly selling defective phones because the devices were not patched. The ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange their phones, at no cost, for another that receives regular security updates, or return the phone for a full refund.
“Users need to watch for firmware updates for their phone, which can be a mixed bag depending on the vendor and whether they’ll get a firmware update sooner, later or never,” Forristal said. “It comes down to the vendor’s support cycle or whether the product is end of life, or whether the carriers feel it’s necessary to issue an update.”