Security researchers have found a bug in Android which allows them to create malicious Android apps which appear to be genuine with the correct digital signatures. In computing, digital signatures allow any piece of data, including an app, to be checked to see that it is genuine and actually comes from the author. Now, due to a bug in Android, it is possible to create a fake app and sign it so it looks like a real app from any author including Google, or others like Samsung, HTC and Sony.
Since the digital signatures of Google and handset manufacturers can be faked it is possible to create a low level system app which has absolute access to the device. These system apps, which have what is known as ‘System UID access’ can perform any function on the phone including modifying system-level software and system-level parameters.
If such an app is installed on an Android phone, the user would be completely vulnerable to a multitude of attacks including key-logging and password sniffing. The researchers at Bluebox Security informed Google about the flaw (Android security bug 8219321) back in February and are now planning to reveal details of the bug at an upcoming security conference.
Any real danger?
Theoretical security flaws exist in almost every piece of software including iOS, Microsoft Windows Phone and Android. The journey from theoretical to real can be a long one, but not an impossible one. The question is now, is there any real danger to Android users. The answer is a bit grey.
Bluebox Security says that the bug is present in 99% of all Android devices and they are right. Until Google releases a patch and the manufacturers release updates then the majority of Android devices remain exposed.
However, the key metric about any vulnerability is how easy is it to exploit? First of all, users who download apps from third party sites including warez sites, torrents and media sharing sites are in the most danger. The most common way for hackers to spread their malware is to upload a copy of a popular app that has been modified to include malicious components. If hackers discover the secrets to Bluebox’s method of altering an app without breaking its cryptographic signature then apps with system level access could be installed on any version of Android from 1.6 to 4.2, even those which haven’t been rooted.
It would also be possible for hackers to create fake firmware upgrades that look like they come from Samsung, HTC or LG etc, but are in fact just decoys that upload a malicious app.
But for users who only use Google Play then the chances of infection are very small. It is unlikely that hackers will be able to get one of these apps into Google Play and we can assume that since Google has known about this bug since February, then it has implemented safeguards into the app store upload process to block any such apps from appearing online.
What this means is that the old mantra, “only download from Google Play or the Amazon App store” is even more true today. It also means that should hackers succeed in copying Bluebox’s techniques that we will see a rise in the number of malware infections in countries which heavily use third-party sites like China and Russia.