AH Virus Malware Piracy Skull Death Samsung logo 1.0

Android Crypto Blunder Can Expose It To Malware

July 29, 2014 - Written By Cory McNutt

Nothing is more important than security when it comes to our mobile devices – it was needed long before the private and sensitive information was added that we carry on our smartphones today.  Programs to access bank accounts, credit card numbers stored for easy access, eBay, Amazon, and PayPal logins to name a few, are routinely carried around with us. We need to be sure that our information will not be compromised, especially the older generation  – I guess they have more to lose – if companies expect the more mature person to use their smartphone for banking transactions.  Even my wife will not use her smartphone for online banking…she barely trusts it on her PC.

Our source claims that researchers are saying that the majority of devices running Google’s Android OS are susceptible to hacks that can allow malicious apps to bypass the standard security.  They cannot only steal our credentials, but also read emails and access sensitive payment history information.  Bluebox Security said this situation or bug has existed since Android 2.1 in early 2010 and called it the Fake ID.  Just as a person with a fake ID can sneak into a bar, these malicious apps can go places that should be off limits to them.  According to researchers, Google has fixed some of the vulnerability in their more recent updates to Android, however, the underlying bug remains unpatched even in Android 4.4 and even in the newest Android ‘L,’ which they have not yet released.

Apparently, Google has some elite class of “super privileged programs,” that do not need to verify the chain of certificates for authenticity.  If a malicious app includes an invalid certificate, but claims it is Flash, Wallet or another app hard coded into Android, the OS will give that rogue app the same special privileges assigned to a legitimate app.  Changes in Android 4.4 limit some privileges Android allows for Flash, but the underlying problem still existed. Jeff Forristal, CTO of Bluebox Security, told Ars, “All it really takes is for an end user to choose to install this fake app, and it’s pretty much game over.  The Trojan horse payload will immediately escape the sandbox and start doing whatever evil things it feels like, for instance, stealing personal data.”

A spokesperson for Google said, “We appreciate Bluebox responsibly reporting this vulnerability to us; third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.” It will be interesting to see if the patch really did fix this issue – Forristal has already said that they will be keeping their eye on it and run more tests in the near future.  Please hook up with us on our Google+ Page and let us know what you think about Android and its security – do you think Google is doing enough, especially if they expect the military or business enterprises to adopt Android…as always, we would love to hear from you.

Android Security