Major security flaw found in Android code, OEMs working on a fix

Researchers at Bluebox Security say they have found a major vulnerability in Android’s code that could affect upwards of 900 million devices. Yes you read that right, almost all Android devices, released in the last 4 years could be affected.

The security flaw would allow a digitally signed Android application to be modified without breaking its cryptographic signature – showing up as legitimate and untouched. This could allow hackers to inject malefic code in certain apps that would then pass off as legitimate and secure.

This technique would allow hackers to do almost anything on a compromised device: from a benign jailbreak, to obtaining secure passwords, account information and so on.

Bluebox will make the vulnerable code public at a conference in Vegas on the 1st of August but some handset vendors have already taken steps to address the problem, while Google will release a patch for AOSP soon.

The good news is that the problem is easily fixable with only two lines of code, the bad news is that Android is notoriously unreliable when it comes to updates due to OEMs and carriers. Let’s hope, for everyone’s sake, that for once the firmware updates do make it in time.

Source: Threatpost | Image courtesy of PocketNow

Report a problem with article
Previous Story

Samsung acquires streaming entertainment startup Boxee

Next Story

Day 3 of Xbox Live Ultimate Game Sale marks down Crysis 3, The Witcher 2 and more

47 Comments

Commenting is disabled on this article.

Obviously this needs to be fixed.

Since I've been doing fine the last 4 years with all my insecure Android devices, I'm not that worried.

...and this is where Android falls down. You have to wait for OEMs/Carriers to make/test the update and that is if they can even be bothered. This might be a big risk to Android owners but just means it'll cost money to OEMs/Carriers, so they have little incentive to push it out quick smart (if at all). Google really needs to control all OS updates to ensure as many as possible affected handsets can be updated with a fix. Just my 2 cents </rant>

MidnightDevil said,
For some reason I don't see manufactures releasing OTA updates for this. What versions are affected? All? From froyo and so on ?

basically Android 1.1 onwards, if this news claims that all the devices in the last 4 years are affected.

i just don't see a patch coming, only for the newer Nexus devices

SharpGreen said,

Because iOS (and others) are perfectly secure right?

ios, nope of course not, still not as bad as android, but windows has the best security.

vcfan said,
show me all the vulnerabilities and malware on windows phone. oh im sorry,you cant.

I'm sure if someone cared enough, it would happen. Just as has happened on iOS.

SharpGreen said,

I'm sure if someone cared enough, it would happen. Just as has happened on iOS.

no really, windows phone has the best security. no one has to care for you to see that. secure boot, app containers,encrypted executables. iphone apps are not encrypted, ios firmware is not encrypted, apple code is so buggy,thats why you keep seeing jailbreaks often. apples system was so easy to fool to run unsigned code by writing a blank executable with a script embedded . android,i wont even go there. windows phone runs the windows kernel,which has had decades of analysis,and Microsoft now has decades of knowledge. the latest internet explorer is now the most secure browser.

Edited by vcfan, Jul 4 2013, 10:05pm :

techbeck said,

Just because nothing has been found, Doesn't mean wp is perfect. Arrogant and foolish to think otherwise.

I never said its perfect. I only said it has the best security. go look at the security architecture of ios and android,and show me how any of them can be superior? ios doesn't even encrypt its ipas, or even firmware. that right there is a major security breach. then come app containers. every windows phone app runs in app containers,unlike ios, where you can choose to run your app in a sandbox or not,. so even if you eventually break in a windows phone apps,and run unsigned code inside the app,you still need to get out of the app container,which usually means you must find a security hole in the windows kernel to receive escalated privileges. windows phone apps run use the WinRT APIs,which deep down rely on win32. so you must go through many layers. with the kernel being patched for decades,yeah good luck with that.

vcfan said,

I never said its perfect. I only said it has the best security. go look at the security architecture of ios and android,and show me how any of them can be superior? ios doesn't even encrypt its ipas, or even firmware. that right there is a major security breach. then come app containers. every windows phone app runs in app containers,unlike ios, where you can choose to run your app in a sandbox or not,. so even if you eventually break in a windows phone apps,and run unsigned code inside the app,you still need to get out of the app container,which usually means you must find a security hole in the windows kernel to receive escalated privileges. windows phone apps run use the WinRT APIs,which deep down rely on win32. so you must go through many layers. with the kernel being patched for decades,yeah good luck with that.


Android does the same thing. Every app on Android is run in the context of its own user, which only has access to its own data. It can also only do things for which it has permission. Try using a web browser that doesn't have permission to access the internet or networks. Won't work. So windows phone is NOT the only OS to do app sandboxing. I'd bet iOS also does some form of it as well.

yes,and apparently so many apps are breaking this container because the implementation is horrible. hell,most of chromes security on windows relies on the security features of windows itself.

and this is only one aspect of the security model. lets not get too far off my initial point,which you somehow thought was funny. add all the other aspects,such as secure boot,encrypted apps, only ota updates, encrypted updates, no sideloading.

vcfan said,
yes,and apparently so many apps are breaking this container because the implementation is horrible. hell,most of chromes security on windows relies on the security features of windows itself.

and this is only one aspect of the security model. lets not get too far off my initial point,which you somehow thought was funny. add all the other aspects,such as secure boot,encrypted apps, only ota updates, encrypted updates, no sideloading.

Actually no they aren't. You seem to have skipped over the part about permissions. Stupid users not paying attention to what they are doing make it seem as though android devices aren't as secure as they really are.

Windows Phone has the ability to sideload apps as well if you pay the ridiculous $99 a year developer fee. Granted said ability is limited only to apps signed by you, but that's not the point. Rather funny that I know more about Windows phone then you seem to. Also secure boot just means signed bootloader and kernel among other things. Most not made by Google Android devices have one or the other, sometimes both, and OTA update support as well on all.

vcfan said,

ios, nope of course not, still not as bad as android, but windows has the best security.


At least it may look like that due to the little usage of that mobile operating system.

SharpGreen said,

Actually no they aren't. You seem to have skipped over the part about permissions. Stupid users not paying attention to what they are doing make it seem as though android devices aren't as secure as they really are.

Windows Phone has the ability to sideload apps as well if you pay the ridiculous $99 a year developer fee. Granted said ability is limited only to apps signed by you, but that's not the point. Rather funny that I know more about Windows phone then you seem to. Also secure boot just means signed bootloader and kernel among other things. Most not made by Google Android devices have one or the other, sometimes both, and OTA update support as well on all.


So you are purposely ignoring the malware apps on Android that could bypass any 'rights' you chose when installing the app?
Or all sorts of malware apps coming directly from the store.

Until either of these cases happens on WP8, WP8's security is better.

Lets look at it like this, WinRT is only 'jailbreaked' by Microsoft's own debug tools.
And the market for WinRT is large enough to wonder... why has no one hacked the RT part of Windows yet. If they can hack RT, they can most likely hack WP8 and vice-versa.

SharpGreen said,

Actually no they aren't. You seem to have skipped over the part about permissions. Stupid users not paying attention to what they are doing make it seem as though android devices aren't as secure as they really are.

you are delusional if you think permissions are whats keeping you from getting malware. malware is breaking out of the sandbox,without having to publish such permissions,elevating their privileges then doing their damage. for example,heres the latest one.

http://www.securelist.com/en/b...ophisticated_Android_Trojan

SharpGreen said,

Windows Phone has the ability to sideload apps as well if you pay the ridiculous $99 a year developer fee. Granted said ability is limited only to apps signed by you, but that's not the point. Rather funny that I know more about Windows phone then you seem to.

you know I meant third party apps. of course you can sideload your own signed apps if you are a developer, how do you expect a developer to debug his applications? stop being so dense. only encrypted third party wp8 store apps can be installed on windows phone.


Also secure boot just means signed bootloader and kernel among other things. Most not made by Google Android devices have one or the other, sometimes both, and OTA update support as well on all.

I don't care if android ALSO has OTA updates,what im saying is windows phone updates the phone exclusively through encrypted files OTA,therefore,there is nowhere to intercept such code.

really,nothing I said about windows security being better is wrong. windows 8 runs the same kernel,and the same libraries as windows phone. you don't think security researchers are trying to find holes? they get paid to do it. hell, antivirus companies are salivating at the mouth trying to find holes,so they could sell you more anti malware software; new special edition Metro malware killer,etc..

Enron said,
I thought Android was open source. How could it take so long to find?

it depends on people to look at code... seems nobody looks at it.

Praetor said,
it depends on people to look at code... seems nobody looks at it.
Surely you know that finding bugs in code is not like spotting cows in a field?

Kirkburn said,
Surely you know that finding bugs in code is not like spotting cows in a field?

i was being sarcastic, seems i forgot the /s tag

NesTle said,
it's not
Play store will know because they decompress the file...

play store is not secure and lets many malicious apps through its weak filters, its no secret!

NesTle said,
it's not
Play store will know because they decompress the file...

it doesn't matter if the file is decompressed,and scanned. the code can be encrypted,and it decrypts itself then runs whenever it wants.

for example,ill write this code,encrypt it into my app. check the date until long after my app takes to get approved in the play store. If my app is installed after a certain date,my app will decrypt the encrypted code, and run it.

From reading around on this 'issue' 99% of users will be fine as they install apps from the Play Store. If you install apps from other sources then it's your own fault if your phone gets infected or damaged.

KitCh said,
From reading around on this 'issue' 99% of users will be fine as they install apps from the Play Store. If you install apps from other sources then it's your own fault if your phone gets infected or damaged.

As said below, the files can be altered without breaking the signature, so google wont know about it - even play store apps.

user will know you have to sideload the apk
google also you have to add code in apk

Google scan apk before let it in to the play store this bit of code is already in their database
And before enabling apk sideload you have to accept the risk en check a box

Would be interested to know how this would implement itself, if all current devices are vulnerable with little or no user action this will be a huge issue!

ZipZapRap said,
They should hand out free condoms when you get an Android device
.....because android users get so much tail

I find it funny when journalists try to use big or uncommon words to sound smart or to make their article/blog post sound better. Just use malicious.