Bluebox Security reveals Android vulnerability in run up to Blackhat convention

Jul 04, 2013 by Bob Yirka weblog
Screenshot of HTC Phone After Exploit

(Phys.org) —Mobile security startup Bluebox Security has revealed via a post on its website a vulnerability in smartphones running the Android operating system. The vulnerability, they say could allow hackers to modify code in apps running on a phone without breaking the app's cryptographic signature.

Normally when an app is downloaded from a reliable source, it comes with something called the Android Application Package File (APK). The purpose of the file is to allow the app to prove that it's not been modified since being installed—a sign that it's been hacked and changed. A check is made every time the app is run. To make it more difficult for hackers to modify existing apps, the APK is given a cryptographic signature. Now Bluebox is reporting that they've found a way to modify existing apps on a , without disturbing the cryptographic signature. Worse, they say, the goes all the way back to Android 1.6, which was released nearly four years ago. That they say, means that 900 million devices are currently at risk.

Modification of an app allows a hacker to cause the app to do things the user is not aware of, such as access data. One of the most serious scenarios, Bluebox says, is if an app made by the manufacturer of a phone is changed. Such apps, they note, generally have access to phone functionality in addition to services such as text messages. That means a modified app could be made to control the phone's camera, for example, or to place calls.

Bluebox isn't revealing exactly how a hacker might take advantage of the vulnerability—that would be inviting trouble, of course. They do say that they notified Google of what they'd found back in February, and that presumably the tech giant is working on a solution. In the meantime, they suggest abstain from downloading apps from risky third party sites. They also strongly encourage enterprise managers to encourage all users of a given system to update their devices as soon as a fix becomes available. The company is also promising to reveal more about the nature of the vulnerability at this year's Black Hat USA 2013 conference.

Explore further: Singapore moves to regulate taxi booking apps

Related Stories

Android users get malware with their apps

Mar 02, 2011

(PhysOrg.com) -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was ...

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Security holes in smartphone apps (w/ Videos)

Apr 17, 2013

(Phys.org) —Popular texting, messaging and microblog apps developed for the Android smartphone have security flaws that could expose private information or allow forged fraudulent messages to be posted, ...

Recommended for you

Singapore moves to regulate taxi booking apps

Nov 21, 2014

Singapore on Friday announced new rules for mobile taxi booking apps, including US-based Uber, in the latest move by governments around the world to regulate the increasingly popular services.

Protecting personal data in the cloud

Nov 20, 2014

IBM today announced it has patented the design for a data privacy engine that can more efficiently and affordably help businesses protect personal data as it is transferred between countries, including across private clouds.

Gift Guide: Dragons, aliens, heroes for the gamer

Nov 19, 2014

Sony's PlayStation 4 video-game console has built an impressive lead over its competitors. That's good news for holiday shoppers because it has driven Microsoft and Nintendo to offer more budget-friendly ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.