Researchers warn of “huge” Android security flaw
Security researchers say they have discovered a vulnerability in Android’s security model
that could allow attackers to take full control of smartphones running Google's mobile operating
allows hackers to modify an app without breaking its cryptographic signature,
according to Jeff Forristal, chief technology officer (CTO) at mobile security firm Bluebox
Android uses cryptographic signatures to determine if the app is legitimate and to verify that
the app has not been tampered with or modified.
The ability to bypass this means that hackers could turn any legitimate
application into a malicious Trojan, unnoticed by the app store, the phone, or the end user,
Forristal wrote in a blog post.
Researchers at Bluebox Labs, who discovered the vulnerability, believe the flaw was introduced
with the release of Android 1.6 and could affect up to 900 million devices.
Depending on the type of application, they say a hacker could exploit the vulnerability for
anything from data theft to creation of a mobile botnet.
The risk to the enterprise is great, said Forristal, and this risk is compounded by applications
developed by the device manufacturers because they are granted special elevated privileges in
“Installation of a Trojan application from the device manufacturer can grant the application
full access to Android system and all applications (and their data) currently installed,” he
This means the application has the ability to read application data on the device such as email,
SMS messages and documents, and retrieve all stored account and service passwords.
“It can essentially take over the normal functioning of the phone and control any function
thereof,” said Forristal.
The most unsettling concern, he said, is the potential for a hacker to take advantage of the
always-on, always-connected, and always-moving nature of these “zombie” mobile devices to create a
Bluebox disclosed the Android flaw to Google in February, but said it is up to device
manufacturers to release firmware updates for mobile devices and up to users to install them.
Bluebox recommends that:
■ Device owners use extra caution identifying the publisher of the app they want to
■ Enterprises with BYOD implementations should prompt all users to update their devices
and highlight the importance of keeping their devices updated.
■ IT should see this vulnerability as another driver to move beyond just device management
to focus on deep device integrity checking and securing corporate data.