11 Comments

Summary:

The vulnerability could allow data theft or the hijacking of a handset and it affects almost all Android devices. However, those sticking to the Play Store should be able to stay safe.

android

UPDATE (3.45am PT): Google has reportedly tightened up security within its Play Store mechanisms, making this flaw less dangerous than it initially seemed. The story has been updated to reflect this.

You may have seen reports out there about a serious flaw affecting almost all Android handsets. But, assuming you’re packing one of said devices, how worried should you be?

If you’re in a hurry, here’s the short answer: not too worried, as long as you stick to apps from the Play Store. If you have time for the explanation, here it is.

Who announced this flaw?

That would be Bluebox Security, a new mobile security startup that’s supposedly in stealth mode.

This isn’t just a publicity stunt, is it?

Probably not. Bluebox’s CTO is a chap called Jeff Forristal, who’s been involved the security scene for a decade or so. And this does appear to be a serious vulnerability – it affects any Android phone released in the last 4 years, which is around 99 percent of them. That said, the post isn’t very explicit about Google having fixed its Play Store security.

So what does this vulnerability allow?

The flaw lies in the way Android app packages – APK files – are verified as secure. It allows the code of these files to be altered in secret. If the app in question comes from the device manufacturer or a trusted partner, it will probably come with privileged access to the device. This raises the possibility of “Trojan” apps that can gain full access to the Android system and to other apps.

This means such Trojans could steal information or take over aspects of the device, or even make the handset part of a wider botnet without the user knowing about it.

Sounds bad. What’s being done about it?

In line with good security research procedures, Bluebox quietly disclosed the flaw to Google back in February. It’s listed as Android security bug 8219321. So Google, which is not openly commenting on Bluebox’s public disclosure, has had at least 4 months to get the word out to Android device manufacturers, who are the ones that are now expected to release firmware updates to fix the vulnerability.

Bluebox will also release proofs-of-concept of its exploit, for each device vendor, at the upcoming Blackhat USA 2013 security conference. According to Computerworld, Samsung’s flagship Galaxy S4 has already been patched, so it is likely that manufacturers have quietly sprung into action.

What’s more, CIO reports that Google has patched its own Play Store so that it can recognize when app updates have been tampered with.

Phew, right?

Yes and no. One of Android’s traditional problems is that many older devices don’t see updates anymore – the evolution of the operating system and the underlying hardware since the Froyo or Gingerbread versions, for example, has been so great that the manufacturers would rather you just buy a newer device.

This situation is changing – the evolution of phone processors is likely to hit a plateau after the leap to quad-core, and the next version of Android, Key Lime Pie, will reportedly cater for low-spec phones, so that older and cheaper devices are covered. However, it’s still down to the manufacturer to make sure the devices it sold 2 or 3 years back get patched, so there’s a good chance that many devices won’t see an update.

However, Google banned Play Store apps from updating outside the Play Store update mechanisms a couple of months after Bluebox told it about the vulnerability. If it has also fixed its Play Store security mechanisms, that should keep most users safe.

The only exception to this is those users who turn to third-party Android app marketplaces. There are many legitimate reasons to do so — for example, the Play Store is understocked in many countries, such as China, and some users may have a taste for apps that Google won’t allow into the Play Store, such as those with pornographic content. So that minority of users will find itself at the mercy of those third-party app store proprietors, and their device manufacturers.

  1. Another defamation publicity stunt. No root user actually uses the apk verification anyway and there are million workarounds to denying root/network access to individual apps in addition to the android system telling you specifically the list of permissions the app will have. Attention seekers.

    1. Mjdumpling, the number of people who root their phone make up a tiny fraction of all Android users. So while your point may have some merit, it is inconsequential in the grand scheme of things.

    2. Not exactly. If the app already has the permissions (say eg. Dropbox or the phone app or gmail etc.), an update will not alert you to changed permissions.

      But for this to happen, the app would have to updated in the App Store. Play Store has already prevented that. I don’t know how Amazon’s app store works, but I expect that there are App Stores in China and Russia that may not have implemented this. So users of those stores may well have a problem.

      The other scenario is someone side loading an update after downloading an app from the Play Store. Again, this is so out of the ordinary, that I hope that even the people gullible to phishing may think twice – and of course they would still have to enable “unknown sources” in settings and these people are probably the ones most likely to not be aware of that.

      The last category are those people who install pirated apps from the web. And in my opinion, they are getting what they deserve.

  2. Laughing_Boy48 Thursday, July 4, 2013

    It’s Android. What would you expect except malware, security breaches and fragmentation. Android OS is the Wild West of OSes. Most Android users are still running Gingerbread, so they’re not eligible for anything except to buy newer Android devices which makes the most sense. Most Android users don’t have a clue as to what’s going on around them. It’s up to Google and the carriers to protect them.

    1. Don’t Believe the Hype Laughing_Boy48 Thursday, July 4, 2013

      While 36.5% are stilling running Gingerbread, as of June 3rd, 58.6% are running Ice Cream Sandwich and Jelly Bean. (http://developer.android.com/about/dashboards/index.html). Also, almost all of the malware statistics come from outside the the US, mostly in China. So while it IS a concern there, Android is pretty safe outside China.

      Additionally, if people use the Play store it is safer than competing app stores.

      Just a little bit of food for thought.

      1. I wouldn’t say that the Play Store is intrinsically “safer” than other stores. Especially with Google app verification now integrated in Android 2.3+ – this bug is pretty benign to begin with.

        The only fear is if someone gets emailed a malicious email with an APK that targets an app already installed, and then the user grants the installation. We don’t know the full disclosures for this bug yet, but I’m guessing that this bug bypasses the Unknown Sources toggle, deferring to the security cert on-device already… that’s why Google banned off-Play Store updates to apps, since they can’t enforce app scanning on off-Play Store.

        The whole myth of Android (and sideloading) being insecure was solved when Google backported Verify Apps to all Android 2.3+ devices via a Google Play update. Even non-Google Experience devices have access to this feature – Google published it as part of AOSP.

        You could build a Bing/Yahoo/Amazon-exclusive Android device, and Verify Apps is now available… as such, sideloading is now safe provided your manufacturer knows how to build properly.

  3. “One of Android’s traditional problems is that many older devices don’t see updates anymore.”

    Very understated. The core problem with Android is that updates flow through the device manufacturers and carriers and even new devices can wait months for updates to critical vulnerabilities…if they appear at all.

    Google has to separate core functionality from manufacturer and carrier specific, and update it directly.

  4. My admittedly cheap tablet is not recognized by Google Play Store. As a retired software developer, I’m OK with a $70 toy to experiment with MIT’s App Inventor and try to learn Java. So I get apps from 1Moble and Slideme, which are unknown as to security. Oh, well?

  5. The funny thing is there is so much self consolation here and everyone is saying there is no problem and I wonder why google needs to patch their store.

    Yes only the iPhone is vulnerable but not the android phone. /s

  6. So what ARE the “third-party app store proprietors” doing about patching this vulnerability?

  7. on Jul 18, 2013 had botnet software running on a non-rooted Samsung using Android @Email 4.0 to inject spam to Yahoo contacts. 100% confirmed, and the offending email header had a T-Mobile IP address. I have no idea which app did this other than the the Samsung integrated mailer (that you can’t uninstall unless you root the phone) I wish I could say it was a publicity stunt.

Comments have been disabled for this post