The Hacker News Logo
Subscribe to Newsletter

Android vulnerability allows hackers to modify apps without breaking signatures

Almost all Android handsets are vulnerable to a  flaw that could allow hackers to seize control of a device to make calls, send texts, or build a mobile botnet, has been uncovered by Bluebox Security .i.e almost 900 million Android devices globally.

Or simply, The Flaw allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.

When an application is installed and a sandbox is created for it, Android records the application's digital signature and all subsequent updates for that application need to match its signature in order to verify that they came from the same author and anything without the signature certificate won’t install or run on a user’s device.

The vulnerability has existed since at least Android 1.6, which means that it potentially affects any Android device released during the last four years. Samsung’s flagship Galaxy S4 has already been patched, so it is likely that manufacturers have quietly sprung into action.

Vulnerability is particularly dangerous because of the way many big-name companies have granted Android devices running on their networks additional privileges. After bypassing Android's app-signing model to take the place of such an app, rogue malware can obtain full access to Android system and all applications (and their data) currently installed.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," said Bluebox on the potential risks.

Bluebox disclosed the vulnerability to Google in February, but said that it was up to individual handset manufacturers to issue patches. Google hasn't responded to a request for comment.

However, Google has blocked distribution of apps exploiting the flaw in Google Play, although if user to is tricked into manually installing a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.