‘Master key’ to Android phones found; can give attackers access to almost any Android phone

“A ‘master key’ that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox,” BBC News reports.

“The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages,” The Beeb reports. “The loophole has been present in every version of the Android operating system released since 2009.”

The Beeb reports, “Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were ‘huge.’ The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone.

“Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed,” The Beeb reports. “Any app or program written to exploit the bug would enjoy the same access to a phone that the legitimate version of that application enjoyed.”

Read more in the full article here.

MacDailyNews Take: Yet another reason not to settle for cheap knockoffs.

[Thanks to MacDailyNews Reader “m2” for the heads up.]

Related articles:
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010″>FBI’s Android security warning means Apple’s iPhone beats Android for BYOD enterprise – October 16, 2012

26 Comments

    1. Yeah, but the military (hopefully) isn’t using off the shelf Android. Being able to completely modify the OS to meet specific needs had to play a part in picking Android – loading it approved secure app and blocking users from installing any other apps would be the first modification they would make.

      This is definitely a big deal for regular Android users, though, hopelessly unaware of these kinds of security problems. Passwords, contacts, email credentials, coordinates, sometimes even credit card info – there’s all sorts of data on smart phones that demand better security than this.

  1. What saddens me is that most of the population won’t ever hear about this. Of those who will, many would read it and shrug and go about their Android-phone-owning-business because, thanks to years of Microsoft’s domination, they believe it’s just business-as-usual. Malware is just something you have to tolerate if you want to own technology. What a crappy paradigm.

  2. My problem with MDN linking to these types of anti-Android articles is MDN never explains why iOS is superior.

    How likely would it be that a similar exploit is found on iOS? Not very likely I would assume but I don’t know anything about how iOS handles app verification.

    Maybe someone who is an technical expert on this can write a post on why this type of exploit can not happen on Apple’s exosystem.

    1. “why this type of exploit can not happen on Apple’s exosystem”

      Apple checks applications before they are allowed into the Apple-curated App Store.

      You see, Robert… Google early on boasted about being “open”, compared to Apple’s “closed” approach. What this actually gave Android was a fragmented OS and ecosystem filled with Malware and second-rate apps. You would think that being “open” would give you the lions share of apps, but this hasn’t been the case. Apple’s iOS has more apps available to it in relation to Android.

      This, along with many other varied points, makes iOS superior to Android-based iOS clones.

      1. Further, if an app by any company is found to violate rules it gets pulled down rather quickly and some companies have seen all their apps pulled in one fell swoop.

    2. Good question – but iOS does provide many safeguards against these types of security issues – and I feel like MDN has linked to many articles about this before.

      Security has always played a huge role in the design of iOS’s “closed” ecosystem – from blocking direct access to the filesystem, initially blocking all third party programs, eventually adding third party programs but only through an Apple curated centralized app repository, anti-theft features like remote wipe and find-my-phone, adding remote “kill switches” to disable any App discovered to be insecure, to using OS X as the core of iOS so they can leverage all the security features developed for Mac over the years. Apple knows there are special security concerns for Internet phones – and has shown it will do everything it can to maintain that security, knowing its users aren’t all security experts.

  3. Hi Tflint

    If I gave the impression that I thought MDN wrote the actual article, then that wasn’t my intention. I know they didn’t write it.

    What I would like to happen in the future is that they try to explain why iOS cannot be susceptible to the exploit that is talked about in the article that they link to. If they don’t have the technical expertise, they should do some research to find the answer and then update the article or write a followup post.

    I’m just trying to give some suggestions to improve the types of articles on MDN and attract more readers.

    1. Robert, all applications installed on an iPhone are pre-tested and approved by Apple before they go into the Apple app store for sale. That’s why it’s called a “walled garden”. The only way to install unapproved apps on an iPhone is to defeat the iPhone’s built in protections by “jailbreaking” it. Doing so voids all protections and warranties.

  4. This is very serious, and Google is going to have to adjust in some way to deal with it. Just trying to fix it in 4.3.1 won’t help (4.3 is pretty much ready for release) – with the speed that updates get released to devices (and since over 60% of Android users are stuck on old versions with no upgrade path at all), many people are susceptible to this.

    Google is going to have to change the way they handle screening apps in the Google Play store (meaning, they need to start screening apps).

    I’ll be at Blackhat at the end of the month, so I’ll definitely sit in on Jeff’s briefing to get more details about this.

    It won’t be long before people begin exploiting this (if they haven’t already been doing so).

    1. No way Google can screen apps, that’s a pipe dream at this point. It took Apple 5 years to build their app screening system and Google is never going to be able to duplicate it at this point, even if they want to. Android has steadily been spiraling out of Googles control and its not going to ever be fixed. Besides this Google makes almost no money on Android and its become more and more of a liability. Google tries to keep a happ face for public consumption but it was the worst mistake in company history to lose Apple as a friend.

    2. The cats out of the bag already, though. As soon as Google fixes this problem 3 more will take its place – all while this problem keeps being exploited on unpatched devices.

      Creating an insecure system, releasing it the public, then trying to patch every security problem that pops up after its been exploited in the wild (aka the Microsoft security strategy) is a recipe for disaster.

      Preemptive, preventative, and proactive security – where systems are carefully designed to stop the majority of security exploits from happening in the first place (aka the Apple security strategy) is the only one that’s been proven effective.

      1. That’s a relief for a while the media was trying to say that Apple’s security was through obscurity. I wonder if those media types ever made a retraction, grew a spine and researched the facts.

        Mmmmm probably not.

  5. 1) So the only way to fix this would have to be a firmware update and a firmware update can only come through the handset manufacturers, not be pushed by google.

    2) The vast majority of Android handsets have never been and will never be updated.

    3) Any Android handsets that are compromised will potentially compromise ALL networks to which the unwitting handset owner has connected, revealing all network usernames and passwords, decrypted by access to the app, invisible to the end user.

    4) If you have every had any android phones connect to your network, you need to change your passwords

    5) if you have sent sensitive emails or credit card info to anyone on Android, know that your sensitive information could have been compromised.

    Google needs to be more proactive and open about this so that systems administrators can take appropriate action to insure the integrity of their networks.

    1. “…so that system administrators can take appropriate action…”

      Heck, just deny access to any devices whose wireless MAC address doesn’t start with an OUI assigned to Apple! 🙂

  6. So great that this information could help us a lot about android phones. Nowadays, many android phone online store that sell different android phone brands. Only there is the description and no satisfactorily information to broaden our knowledge about iphones. Thanks to this site!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.