Android bug that affects 99% of devices detailed

July 8, 2013
With the help of a number of software researchers, the details of the Android exploit Bluebox reported earlier this week have been uncovered.

computer-hacker

The specifics of the widespread Android bug we previously reported on have, since security firm Bluebox revealed its existence to the developer community earlier this week, remained mired in mystery. It was understood that a malicious application could abuse Android’s signing mechanism – the operating system’s safeguard against infectious apps purporting to be legitimate – to pass as an APK update from Google, Samsung, or any number of companies, but the methodology required to do so was unclear.

With the help of a number of software researchers, the details of the exploit have been uncovered. Apparently, the most widely distributed versions of Android rely on a flawed archive (ZIP, JAR, and APK, as the term relates to Android) verification mechanism that allows potentially harmful code to avoid detection. When examining an application signature, Android checks files in a particular order. It’s possible, then, to trick the operating system by including a modified file before the original. When Android goes to verify the archive, it sees the original, unmodified file with the valid signature, and so allows malicious files to install and execute.

Which devices are not affected? What can you do?

A few distributions of Android are not vulnerable to this type of attack. The Galaxy S4 received a fix, and Cyanogenmod project lead Steve Kondik recently committed a patch to all distributions of the third-party firmware. In addition, Google is reportedly working on an update for Nexus devices, though the company has declined to comment officially.

What should owners of smartphones with older versions of Android do to avoid viruses and adware? Not much, really. Presumably, Google’s ensured the Play Store’s automated malicious code scanner has been updated to check for the exploit; the company’s been aware of this bug since February, and so has had plenty of time to take preventative measures. In truth, the security hole represents the biggest threat to users of third-party app stores and pirated applications – usually, these are not so thoroughly vetted for malicious code. However, people who wish to protect themselves have a few options. Those with phones no longer supported by the manufacturer can install the latest Cyanogenmod nightly build for their respective device. Owners of the latest Android smartphones should see firmware with a security fix soon, though how soon is another matter. Finally, Nexus folks should see something from Google at some point in the future.

Is this bug cause for anyone to panic? No, not really.  As long as you’re conscientious about the source and appearance of your applications and updates, you’ll be perfectly safe.

Comments

  • mcquoidellum

    Love the ending.. very polar outcomes, really leaves ya hanging. No one gets an answer to whether they’re infected.
    Broke my Note, Moto X?

  • districtjack

    I think it boils down to basic common sense. Don’t download apps from anywhere other than Google Play. If you download an app from the internet you are rolling the dice. If the app you want from a web site is also available from Google Play, go over to Google play and download it. Who is to say if the web site offering that awesome app has not been hacked 12 minutes before you surfed to it.

    Unless you are an IT admin, security techie, or a bona fide programmer/developer, stick to the play store.

    • LAKAME

      Not possible if Google Play is unavailable in your country (like me) :(

  • Twit Gadget7

    News about Gadget and Technology here : http://tny.cz/aa9f8cc7

    Thanks.

  • deV14nt

    So the largest group will get the update early: CyanogenMod. How fitting. Why don’t we just preinstall CM and call it a day?

  • http://goo.gl/xuiTR Out of the Park Apps

    Well, I believe this was a new security feature, so not surprising it had a bug… Point is, there was no scan before, now there’s a scan. Even with a bug, it’s better than nothing and can easily be patched as it is linked to Google Play (that’s why it affects 99% of devices).

  • MasterMuffin

    As I already commented on AA (and got many dislikes because people didn’t for some reason understand what I ment), this is a perfect opportunity for a dev to make an universal root app that could root almost every Android phone. It’d have a lot of demand and bring rooting to everybody! We have to find ways to use it for good too

  • blackstone

    Stupid question: is there a risk if you install a custom rom like AOKP, SlimBean, PacMan, JellyBam, since developpers can add/hide what they want ?

    • SeraZR™

      no m8
      the devs aren’t that corrupt

      • Michael

        Plus, it’a not difficult to dump all apks on a rom, even if we overlook the fact that most are open source.

  • tonycoleby

    That library image has to be the worst stock photography I’ve ever seen.