July 4, 2013 weblog

Bluebox Security reveals Android vulnerability in run up to Blackhat convention

by Bob Yirka , Phys.org

Bluebox Security reveals Android vulnerability in run up to Blackhat convention
Screenshot of HTC Phone After Exploit

(Phys.org) —Mobile security startup Bluebox Security has revealed via a post on its website a vulnerability in smartphones running the Android operating system. The vulnerability, they say could allow hackers to modify code in apps running on a phone without breaking the app's cryptographic signature.

Normally when an app is downloaded from a reliable source, it comes with something called the Android Application Package File (APK). The purpose of the file is to allow the app to prove that it's not been modified since being installed—a sign that it's been hacked and changed. A check is made every time the app is run. To make it more difficult for hackers to modify existing apps, the APK is given a cryptographic signature. Now Bluebox is reporting that they've found a way to modify existing apps on a , without disturbing the cryptographic signature. Worse, they say, the goes all the way back to Android 1.6, which was released nearly four years ago. That they say, means that 900 million devices are currently at risk.

Modification of an app allows a hacker to cause the app to do things the user is not aware of, such as access data. One of the most serious scenarios, Bluebox says, is if an app made by the manufacturer of a phone is changed. Such apps, they note, generally have access to phone functionality in addition to services such as text messages. That means a modified app could be made to control the phone's camera, for example, or to place calls.

Bluebox isn't revealing exactly how a hacker might take advantage of the vulnerability—that would be inviting trouble, of course. They do say that they notified Google of what they'd found back in February, and that presumably the tech giant is working on a solution. In the meantime, they suggest abstain from downloading apps from risky third party sites. They also strongly encourage enterprise managers to encourage all users of a given system to update their devices as soon as a fix becomes available. The company is also promising to reveal more about the nature of the vulnerability at this year's Black Hat USA 2013 conference.

© 2013 Phys.org

Citation: Bluebox Security reveals Android vulnerability in run up to Blackhat convention (2013, July 4) retrieved 30 April 2024 from https://phys.org/news/2013-07-bluebox-reveals-android-vulnerability-blackhat.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Feature stops apps from stealing phone users' passwords
0 shares

Feedback to editors

Relevant PhysicsForums posts

(Solved) Change fill-in color in PDF file with Adobe without Pro

Apr 27, 2024

Flipped RGB colours in a TV

Apr 25, 2024

Fixing Linux kernel not found

Apr 16, 2024

Is an invisible LED mouse more accurate than one with a red LED?

Apr 15, 2024

AI In Actual Use

Apr 13, 2024

Does anyone make zero-flicker computer monitors?

Apr 13, 2024

More from Computing and Technology

Load comments (0)