Critical Security Flaw Discovered in Android Smartphones

A so-called “master key” for Android smartphones has been discovered by a security firm which is warning that it could give almost unfettered access to any Android phone, regardless of its security settings.

The loophole, discovered by BlueBox has been used in every Android OS since at least version 1.6.

Bluebox’s CTO, Jeff Forristal wrote in his blog that the vulnerability allows a hacker to modify APK code without breaking an application’s cryptographic signature, and to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.

bluebox1-300x33

All Android applications contain signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. The loophole makes it possible for a hacker to change an application’s code without affecting the signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

BlueBox says that it handed details of the Android security flaw to Google in February 2013.

Technical details of how to exploit the security flaw will be revealed at the Black Hat USA 2013 conference at the end of this month.

At the moment, there is no evidence that the exploit has been discovered by malicious hackers, although with the details due to be revealed at the conference, Google and Android handset manufacturers have just a few weeks to repair the problem.

The other issue that makes the exploit harder to use is that the hacker would have to encourage users to download a malicious app in the first place. While unlikely via Google’s own app store, there are a number of — mainly Chinese — app stores that are known to be less stringent in security checks.

Newsletter sign up