Android is at present the sector’s most popular running machine's operating system fro mobile devices. Google recently announced that there are greater than 900 million activated Android gadgets internationally. Now, a security firm has discovered a loophole inside the machine that can compromise ninety nine percent of that number, which incorporates both smartphones and pills.
Before moves , how the google fixwd the loophole, lets have a look at "what is loophole, whom discovers it and how it works. "
Blue box security, the agency at the back of the invention, has uncovered an “Android master key” which has the prospective to let any hacker flip literally any Android app right into a Trojan horse. This essentially implies that a malware ridden app can enable hackers to remotely capture data and keep an eye on features on an Android tool, reminiscent of calls or messages. Neither the cellphone consumer, nor Google or the app developer will come to know about the hack.
On the Blue Box security weblog, CTO Jeff Forrestal has put a put up explaining that the vulnerability has existed considering the fact that Android 1.6: Google’s Donut build, which used to be launched around four years in the past. Forrestal mentioned that the corporate zeroed in on the method utilized by hackers, which revolves round modifying an app’s APK code without having to crack the signature used for authentication. Which means the app, which may be loaded with the malware, will appear completely commonplace and bonfire from the surface.
How it works:
The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.
All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.
Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.
The screenshot below demonstrates that Bluebox Security has been able to modify an Android device manufacturer’s application to the level that we now have access to any (and all) permissions on the device. In this case, we have modified the system-level software information about this device to include the name “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).
Before moves , how the google fixwd the loophole, lets have a look at "what is loophole, whom discovers it and how it works. "
Blue box security, the agency at the back of the invention, has uncovered an “Android master key” which has the prospective to let any hacker flip literally any Android app right into a Trojan horse. This essentially implies that a malware ridden app can enable hackers to remotely capture data and keep an eye on features on an Android tool, reminiscent of calls or messages. Neither the cellphone consumer, nor Google or the app developer will come to know about the hack.
On the Blue Box security weblog, CTO Jeff Forrestal has put a put up explaining that the vulnerability has existed considering the fact that Android 1.6: Google’s Donut build, which used to be launched around four years in the past. Forrestal mentioned that the corporate zeroed in on the method utilized by hackers, which revolves round modifying an app’s APK code without having to crack the signature used for authentication. Which means the app, which may be loaded with the malware, will appear completely commonplace and bonfire from the surface.
How it works:
The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.
All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.
Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.
The screenshot below demonstrates that Bluebox Security has been able to modify an Android device manufacturer’s application to the level that we now have access to any (and all) permissions on the device. In this case, we have modified the system-level software information about this device to include the name “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).
Scan Your Device for the Android “Master Key” Vulnerability :
The Bluebox Security Scanner app produced by our research team allows you to directly check if your Android device has been patched for this vulnerability without the hassle of having to contact the device manufacturer or mobile carrier. It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability. Once we discovered the bug we set out to create a tool to help individuals to evaluate their risk and that app is now available for free at the Google Play store :
The scanner will save you significant time and keep you from having to do the “leg work” to figure out if your device has been safely patched. If your device has not been patched, it will provide you with the information you need to ask your device manufacturer when a fix will be available.
This free app also does a partial device integrity check by searching for malicious apps leveraging the “master key” vulnerability so you won’t have to purchase a mobile AV application just to check for malware leveraging this vulnerability.
Screenshots of the Free Bluebox Security Scanner :
This free app also does a partial device integrity check by searching for malicious apps leveraging the “master key” vulnerability so you won’t have to purchase a mobile AV application just to check for malware leveraging this vulnerability.
Screenshots of the Free Bluebox Security Scanner :
Google releases fix in response to “Master Key” exploit :
---------------------------------------------------------------------------
Google has released a fix in response to Bluebox Security’s claim to have found a vulnerability in the security model of Android. One that could enable attackers to transform 99% of all apps into Trojan malware. Google stated that the security hole has been patched, and the said patch has been released to the OEM (Original Equipment Manufacturers).
CTO of Bluebox Security, Jeff Forristal had stated that the security hole has been around at least since the time of the release of Android 1.6. He then states that the security exploit could affect all Android phones released in the past 4 years. It also means that, approximately 900 million devices could have been affected if the security hole was used by the attackers.
The vulnerability exists in the process of verification and installation of Android apps. Each one of the Android apps has a cryptographic signature that’s used to make sure that the contents of an app don’t get tampered with. On the contrary, the security hole supposedly enables the attackers to modify the content of the apps keeping the secure signature intact. Communication manager of Google, Gina Scigliano, stated that there isn’t any official statement from Google in this regard.
With Google patching the exploit, now we’ll have to wait for the manufactures to add the security patch to upcoming updates. Therefore, Android users will have to wait for their respective vendors to receive the update. According to the media communications manager, the users don’t need to worry much as there has been no incidence of exploitation of the security hole.
This exploit is nothing new, but the fact that it’s finally been patched is good news. Continue using safe methods by only installing apps from the Play Store, and you won’t have a problem.
Google has released a fix in response to Bluebox Security’s claim to have found a vulnerability in the security model of Android. One that could enable attackers to transform 99% of all apps into Trojan malware. Google stated that the security hole has been patched, and the said patch has been released to the OEM (Original Equipment Manufacturers).
CTO of Bluebox Security, Jeff Forristal had stated that the security hole has been around at least since the time of the release of Android 1.6. He then states that the security exploit could affect all Android phones released in the past 4 years. It also means that, approximately 900 million devices could have been affected if the security hole was used by the attackers.
The vulnerability exists in the process of verification and installation of Android apps. Each one of the Android apps has a cryptographic signature that’s used to make sure that the contents of an app don’t get tampered with. On the contrary, the security hole supposedly enables the attackers to modify the content of the apps keeping the secure signature intact. Communication manager of Google, Gina Scigliano, stated that there isn’t any official statement from Google in this regard.
With Google patching the exploit, now we’ll have to wait for the manufactures to add the security patch to upcoming updates. Therefore, Android users will have to wait for their respective vendors to receive the update. According to the media communications manager, the users don’t need to worry much as there has been no incidence of exploitation of the security hole.
This exploit is nothing new, but the fact that it’s finally been patched is good news. Continue using safe methods by only installing apps from the Play Store, and you won’t have a problem.
for more details : http://bluebox.com (it is organization website, which discovers the vulnerability )
