Yesterday, security research firm Bluebox discovered a dangerous “master key” to all Android devices. The vulnerability has been present in every version of the Android operating system released since 2009, and affects 99% of devices running Android, according to Bluebox. It comes as Android security was questioned by clone apps, with a copy of Jay Z’s Magna Carta Holy Grail carrying a 4th of July message against the American PRISM surveillance program.
The loophole would enable a hacker to “to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.
In short, there is a way of tricking Android into thinking an app is the same, adding a piece of rogue code without changing the cryptographic signature. But don’t panic, there is no evidence to suggest that this back door has been taken advantage of.
The implications are obvious enough. Users do everything from enter personal information to bank details in an app, thinking they are totally secure. Entering this information when the app has a piece of extra code could be potentially very dangerous, however the real danger is with apps developed by the device manufacturer or third-party developers contracted to make apps for the manufacturer, in other words the default apps. These apps are given special privileges in the Android system – System UID access.
Bluebox explain that “Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.”
The news came on the same day that Jay Z’s app Magna Carta Holy Grail, released to publicise his album of the same name, suffered from an apparent hack attack. It was discovered by McAfee in a pirated copy of the app.
A clone version of the app, which was meant to be exclusive to Samsung devices, carried a timer which was set to display a political message on the 4th of July. On that date, Independence Day in the USA, the background of the app changed to an image of President Obama wearing headphones, under the phrase “Yes We Scan” – a nod to the recent revelations surrounding the NSA’s PRISM program.
The political message would suggest a hacktivist intention, however the Trojan app also sent information about the infected device to an external server every time it restarted. It is not yet known whether or not the cloned app had other malware which targeted sensitive information such as financial transactions.
Both of these issues highlight problems for Android. The Jay Z app was a clone, downloaded from an unofficial source. It was simply a well designed copy which fooled some users into downloading it. However, as the Bluebox discovery shows, users are even vulnerable when using official apps. Android were informed of the vulnerability in February and have pointed out that it is up to manufacturers to release firmware and up to users to update their devices to help prevent these holes from being utilised.
As for malicious apps such as the fake Magna Carta Holy Grail, the advice is to stick to trustworthy sources when you get your apps and to check the name of the developer.
Photo Credit: McAfee