July 4, 2013
The vulnerability has been kicking around for the past four years so, potentially, any Android phone released during that time period — that is 900 million devices — could be targeted.
The vulnerability, discovered by mobile security company Bluebox Labs, enables hackers to not only access data and passwords, but to take over the normal functioning of the device.
The hackers are able to gain access by changing an app’s APK code without breaking its cryptographic signature. This means any app can be turned into a malicious Trojan without anyone the wiser.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed,” reads a post on the Bluebox blog.
“The application then not only has the ability to read arbitrary application data on the device (e-mail, SMS messages, documents, etc.), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet.”
Bluebox provided a screenshot (shown at left) to illustrate how an Android device can be modified.
“In this case, we have modified the system-level software information about this device to include the name ‘Bluebox’ in the Baseband Version string (a value normally controlled and configured by the system firmware),” the blog post explains.
The security firm is offering three key recommendations to Android users:
• Double-check the identity of the app’s publisher before downloading.
• Companies with a BYOD policy should not only ask all Android users to update their devices, but stress the importance of keeping their devices updated.
• IT departments should “move beyond just device management to focus on deep device integrity checking and securing corporate data.”