Jeff Forristal, the Chief Technology Officer at Bluebox Security posted a description of the flaw on Wednesday. It affects Android devices running any version of the OS released in the past four years, starting with Version 1.6 (codename: “Donut” ) – a population of nearly 900 million devices. Discrepancies in how Android applications are cryptographically signed and then verified by Android allow a malicious attacker to modify the application package file (or APK) code without breaking the cryptographic signature.
The implications of the flaw are huge. A malicious application installed on a vulnerable Android device could access any data stored on the device. For applications, such as mobile virtual private network (VPN), an attacker who could alter the application’s code or fool the user into installing a compromised version of it would have unfettered access to the compromised Android device, installed applications and data, including e-mail, SMS messages, documents and stored account information, Forristal warned.
Bluebox (@BlueboxSec) notified Google of the issue in February, but Forristal wrote that updates to the mobile OS that repair the hole are dependent on firmware updates from the many handset makers that use Android and, then, on users to download and install those updates. He will discuss details of the vulnerability in a talk at the Black Hat USA security conference in early August.
Google wasn’t able to immediately respond to a request for comment.
In an e-mail exchange with The Security Ledger, Forristal declined to discuss the specifics of the vulnerability. However, he said that his research on Android was related to a security product that Bluebox is building.
Speaking about Android’s security model, he said that he believes that the core OS has a strong security architecture. “Where things start to fracture is all of the OEM (original equipment manufacturer) customizations and add-ons.” OEMs like handset makers operate “under a ‘get to market’ paradigm (more) than a ‘build it secure’ paradigm,” he wrote.
“Device manufacturers will install hastily-written drivers, make system tweaks and adjustments for differentiation or to simply work around an issue, and dump extra apps into the ROM without really considering what that does for the security posture of the system as a whole,” Forristal wrote, pointing to recent examples, like the semi-sanctioned CarrierIQ spyware.
The rapid rise of Android to become the world’s most used mobile operating system has been a matter of concern to security experts, who worry that Google’s OS may become a new, Windows style monoculture for the mobile space. The OS is already the platform of choice for mobile malware authors, who are drawn to Google’s loosely policed Play application store and a wild west of third party app stores. Specifically, Google’s loose hold on the fractured Android install base has left hundred of millions of consumers with devices that run vulnerable and outdated versions of the mobile OS.
Until the hole is patched, Android device owners should be cautious when installing or updating an application, and make sure to verify the identity of the publisher of the application they want to download, Forristal wrote.