Android flaw allows hackers to alter apps

nestor e. arellano

11 years ago

A weakness in the Android security models enables hackers to modify the application package file (APK) code in a device and turn legitimate applications into a malicious Trojan, according to mobile security firm Bluebox.

“The implications are huge,” according to Jeff Forristal, CTO of the Calif.-based BlueBox. “This vulnerability, around at least since the release of Android 1.6 (codename: Donut) could affect any Android phone released in the last four years – or nearly 900 million devices…”

Depending on the type of application on the device, he wrote in a recent blog, a hacker can exploit the vulnerability for anything “from data theft to the creation of a mobile botnet.”

The Android APK is a file format used to distribute an install application software and middleware on the Android operating system.

Forristal said, the flaw discovered by Bluebox allows the modification of the APK code without having to break an app’s cryptographic signature.

He said the risk to individuals and enterprise organizations is great because malicious apps can access personal data or gain entry into an enterprise network.

“This risk is compounded when you consider that applications developed by device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third parties that work in cooperation with the device manufacturers (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android – specifically System UID access,” said Forristal.

For instance, an application that has been turned into a Trojan malware can gain access to the Android system and all applications in the device. The altered app can read arbitrary application data on the device such as email, SMS messages and documents, retrieve stored account and service passwords. The Trojan can also take over phone functions and make arbitrary phone calls or arbitrary SMS messages or turn one the device camera or record calls.

A hacker can also take advantage of a device’s always-on, always-connected capability to turn the device in a “zombie” mobile device to create a botnet.

Forristal recommends that Android device owners exercise the following precautions:

Make sure apps being downloaded into the device are legitimate
Enterprise with BYOD implementations should alert user about the flaw and urge them to update devices diligently

“IT administrators should look beyond device management and focus on deep device integrity checking and securing corporate data,” said Forristal.