Security researchers say they have discovered a vulnerability in Android’s security model that could allow attackers to take full control of smartphones running Google's mobile operating system (OS).
The vulnerability allows hackers to modify an app without breaking its cryptographic signature, according to Jeff Forristal, chief technology officer (CTO) at mobile security firm Bluebox.
Android uses cryptographic signatures to determine if the app is legitimate and to verify that the app has not been tampered with or modified.
The ability to bypass this means that hackers could turn any legitimate application into a malicious Trojan, unnoticed by the app store, the phone, or the end user, Forristal wrote in a blog post.
Researchers at Bluebox Labs, who discovered the vulnerability, believe the flaw was introduced with the release of Android 1.6 and could affect up to 900 million devices.
Depending on the type of application, they say a hacker could exploit the vulnerability for anything from data theft to creation of a mobile botnet.
The risk to the enterprise is great, said Forristal, and this risk is compounded by applications developed by the device manufacturers because they are granted special elevated privileges in Android.
More on mobile malware
- Malware spammers target Android OS
- Mobile malware and social malware: Nipping new threats in the bud
- Rapid malware growth for smartphones, reports G Data
- Mobile malware on the rise
- Malware trends: The rise of cross-platform malware
- Enterprises must help identify secure mobile apps, define malware
- Security firm warns of Android mobile toll fraud in latest mobile malware report
- Google no longer playing with Android malware
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed,” he wrote.
This means the application has the ability to read application data on the device such as email, SMS messages and documents, and retrieve all stored account and service passwords.
“It can essentially take over the normal functioning of the phone and control any function thereof,” said Forristal.
The most unsettling concern, he said, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving nature of these “zombie” mobile devices to create a botnet.
Bluebox disclosed the Android flaw to Google in February, but said it is up to device manufacturers to release firmware updates for mobile devices and up to users to install them.
Bluebox recommends that:
■ Device owners use extra caution identifying the publisher of the app they want to download.
■ Enterprises with BYOD implementations should prompt all users to update their devices and highlight the importance of keeping their devices updated.
■ IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.