A major vulnerability believed to be present in 99 percent of Android devices can allow an attacker to hijack any legitimate app without modifying its digital signature, researchers have found.
San Francisco-based Bluebox Security discovered the Android master key flaw, which could give miscreants full access to all data and applications stored on victims' devices, as well as take over functions like making phone calls, sending text messages, recording calls and using the phone's camera.
Jeff Forristal, CTO of Bluebox Security, said the bug is present in any Android phone released in the last four years (dating back to Android 1.6), thus it impacts an estimated 900 million devices. In a blog post written last week, Forristal explained that the vulnerability allows a hacker to modify Android's application package file (APK) without making changes to an app's cryptographic signature.
When the digital signature of an app has been changed, it usually serves as a cue that something is amiss – but this flaw allows legitimate apps that have become infected to go unnoticed, Forristal explained, saying that the implications of the vulnerability were “huge.”
"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified," Forristal wrote. “This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”
According to a Tuesday blog post by Symantec's security response team, hackers previously needed to change the application and publisher name to infect a legitimate app, signing it with their own digital signature.
"Someone who examined the app details could instantly realize the application was not created by the legitimate publisher," said the blog post. "Now that attackers no longer need to change these digital signature details, they can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code."
Though a concerning revelation to researchers, the flaw has yet to be exploited by an attacker. Forristal plans to reveal more details about the vulnerability later this month at the Black Hat conference in Las Vegas, where he'll divulge a proof-of-concept for major Android device vendors, as well as explain how the exploit was created and how it works.
Bluebox Security disclosed the bug to Google in February, but end users will have to depend on device manufacturers to release a fix via firmware updates.
In a Wednesday email to SCMagazine.com, Gina Scigliano, a Google spokeswoman, confirmed that Google has published a patch and that "some" manufacturers, including Samsung, have begun shipping a fix to customers.
For some time, critics have expressed concerns about users' reliance on cell phone carriers to dispatch fixes for critical vulnerabilities impacting users.
In April, the American Civil Liberties Union filed a complaint with the Federal Trade Commission asking the agency to look into the common gripe.
"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers' smartphones by the wireless carriers and their handset manufacturer partners," the ACLU wrote.
UPDATE: In a Wednesday email, Jeff Forristal told SCMagazine.com that, depending on the device, cooperation is necessary between phone manufacturers (which modify fixes so they can be used by consumers) and wireless carriers (which sometimes manage distribution of an update.)
“Wireless carriers facilitate and gate the distribution of the fix, but it's the device manufacturers that need to create it,” Forristal said. “In that regard, both parties are participating in the responsibility.”
As consumers wait for a fix, Bluebox has provided a free app that detects whether one's phone has been updated to address the bug.
Publicly available tools that can help attackers create malicious applications for the vulnerability already have made their way online, Forristal said, an indicator that his Black Hat talk shouldn't impact the vulnerability's threat level much.