The specifics of the widespread Android bug we previously reported on have, since security firm Bluebox revealed its existence to the developer community earlier this week, remained mired in mystery. It was understood that a malicious application could abuse Android’s signing mechanism – the operating system’s safeguard against infectious apps purporting to be legitimate – to pass as an APK update from Google, Samsung, or any number of companies, but the methodology required to do so was unclear.
With the help of a number of software researchers, the details of the exploit have been uncovered. Apparently, the most widely distributed versions of Android rely on a flawed archive (ZIP, JAR, and APK, as the term relates to Android) verification mechanism that allows potentially harmful code to avoid detection. When examining an application signature, Android checks files in a particular order. It’s possible, then, to trick the operating system by including a modified file before the original. When Android goes to verify the archive, it sees the original, unmodified file with the valid signature, and so allows malicious files to install and execute.
Which devices are not affected? What can you do?
A few distributions of Android are not vulnerable to this type of attack. The Galaxy S4 received a fix, and Cyanogenmod project lead Steve Kondik recently committed a patch to all distributions of the third-party firmware. In addition, Google is reportedly working on an update for Nexus devices, though the company has declined to comment officially.
What should owners of smartphones with older versions of Android do to avoid viruses and adware? Not much, really. Presumably, Google’s ensured the Play Store’s automated malicious code scanner has been updated to check for the exploit; the company’s been aware of this bug since February, and so has had plenty of time to take preventative measures. In truth, the security hole represents the biggest threat to users of third-party app stores and pirated applications – usually, these are not so thoroughly vetted for malicious code. However, people who wish to protect themselves have a few options. Those with phones no longer supported by the manufacturer can install the latest Cyanogenmod nightly build for their respective device. Owners of the latest Android smartphones should see firmware with a security fix soon, though how soon is another matter. Finally, Nexus folks should see something from Google at some point in the future.
Is this bug cause for anyone to panic? No, not really. As long as you’re conscientious about the source and appearance of your applications and updates, you’ll be perfectly safe.