Following the recent BadNews bug scandal, Google and the Android platform see themselves thrown in another outrage. Simply put, Bluebox Security has recently stumbled across a security vulnerability assumed to affect around 99% of all Android devices. However, while the BadNews issue was identified and quickly dealt with, it appears that this vulnerability has been lingering in the Android smartphones and tablets for almost 4 years, since the 1.6 Android version was launched.
What’s even worse is that while BadNews was simply stealing money from users by making high charge calls, the recently discovered flaw allows hackers to alter the digital signatures of the existing apps and transform them into a Trojan. Afterwards, the virus can be employed to steal personal data or to take control over the operating system.
How is this even possible?
Frankly, it was just a matter of time mobile users were confronted with security issues. Tablets and smartphones are commonly utilized these days, in spite of the fact that many of us already know that their security capabilities are far behind the desktop antivirus and firewall software. The vulnerability here come mainly from how the apps are verified and installed, meaning that when you download and install an app for Android, you specifically allow APK code modification.
However, while the APK code is altered, the cryptographic signature – the one responsible for verifying if an app is legitimate and determining whether or not it has been tempered with – remains untouched. Therefore, because the signature that identifies treats is intact, a hacker could easily fool the operating system into allowing the installation of a malicious app.
Is it safe to use my Android device?
It is important to note that the code security risks can be classified into two categories, the vulnerabilities and the malicious functionality. While vulnerabilities refer to sensitive data leakage, storage and transmission due to errors in design or implementation, the malicious functionality defines dangerous code behaviors that act like spyware, unauthorized premium dialing and phishing UI after installation. The issue described here is a little bit of both.
Luckily, Google has known about the security issue since February 2013 and actually took immediate action by implementing various checks to prevent developers from exploiting this bug. Moreover, the details of the vulnerability were revealed to the Open Handset Alliance in order for them to come up with and release patches to correct the problem.
Don’t relax, be vigilant!
While the vulnerability was handled discretely and promptly, Bluebox Security decided to reveal the risk to the public because at this point it’s impossible for Google to roll out a system wide update to deal with the problem once and for all. Essentially, since the old devices don’t receive updates anymore, they remain vulnerable. Frankly, even owners the newest Samsung, HTC or Motorola device should be careful as depending on the model and manufacturer, the required updates might not be out yet.
So far, Google has announced that this issue has been addressed on the Samsung Galaxy S4, but refused to comment on when the next patch for Nexus devices will be out. This doesn’t really come as a surprise considering that this is not the first, nor the last time the Android OS was criticized for lack of communication between partners, incoherence and vulnerabilities that put users and their data at risk. Moreover, various mobile security companies have pointed out that one in two Android devices are vulnerable to at least one known Android security flaw.
What can I do about it?
Although you might feel shocked and outraged at this point, don’t fret; there are some measure you can take to avoid malware getting into your phone. Therefore, you can start by making sure you install apps only from reliable and trustworthy sources. As previously mentioned, Google Play is your best bet so far since it doesn’t allow apps that could take advantage of this exploit. Downloading apps from any other source – including the Amazon or Samsung store – is not recommended until they confirm the issue has been resolved.
In addition, you should never leave your phone unattended especially when you’re around people you don’t really know. Lastly, never transfer data from another device if you suspect it’s infected with malware, even if you use the USB cord.