Bluebox Security reveals Android vulnerability in run up to Blackhat convention

Jul 04, 2013 by Bob Yirka weblog
Screenshot of HTC Phone After Exploit

(Phys.org) —Mobile security startup Bluebox Security has revealed via a post on its website a vulnerability in smartphones running the Android operating system. The vulnerability, they say could allow hackers to modify code in apps running on a phone without breaking the app's cryptographic signature.

Normally when an app is downloaded from a reliable source, it comes with something called the Android Application Package File (APK). The purpose of the file is to allow the app to prove that it's not been modified since being installed—a sign that it's been hacked and changed. A check is made every time the app is run. To make it more difficult for hackers to modify existing apps, the APK is given a cryptographic signature. Now Bluebox is reporting that they've found a way to modify existing apps on a , without disturbing the cryptographic signature. Worse, they say, the goes all the way back to Android 1.6, which was released nearly four years ago. That they say, means that 900 million devices are currently at risk.

Modification of an app allows a hacker to cause the app to do things the user is not aware of, such as access data. One of the most serious scenarios, Bluebox says, is if an app made by the manufacturer of a phone is changed. Such apps, they note, generally have access to phone functionality in addition to services such as text messages. That means a modified app could be made to control the phone's camera, for example, or to place calls.

Bluebox isn't revealing exactly how a hacker might take advantage of the vulnerability—that would be inviting trouble, of course. They do say that they notified Google of what they'd found back in February, and that presumably the tech giant is working on a solution. In the meantime, they suggest abstain from downloading apps from risky third party sites. They also strongly encourage enterprise managers to encourage all users of a given system to update their devices as soon as a fix becomes available. The company is also promising to reveal more about the nature of the vulnerability at this year's Black Hat USA 2013 conference.

Explore further: Microsoft to spotlight new Windows software September 30

Related Stories

Android users get malware with their apps

Mar 02, 2011

(PhysOrg.com) -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was ...

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Security holes in smartphone apps (w/ Videos)

Apr 17, 2013

(Phys.org) —Popular texting, messaging and microblog apps developed for the Android smartphone have security flaws that could expose private information or allow forged fraudulent messages to be posted, ...

Recommended for you

Tokyo Game Show: On the hunt for the next Minecraft

6 hours ago

The staggering $2.5 billion that Microsoft has just shelled out for Minecraft and its quirky graphics will be foremost in developers' minds at the Tokyo Game Show this week, where simple yet immersive games ...

Better non-functional security tests for software

Sep 15, 2014

The integration of digital expert knowledge and automation of risk analyses can greatly improve software test procedures and make cloud computing more secure. This is shown by the latest results of a project ...

'Grand Theft Auto V' to hit PS4 and Xbox One

Sep 12, 2014

Rockstar Games on Friday announced that the latest installment of its crime-themed blockbuster video game "Grand Theft Auto" will hit PlayStation 4 and Xbox One consoles in November.

User comments : 0