Android ‘master key’ vulnerability discovered puts 99% of devices at risk

News

By Mary-Ann Russon

Researchers have discovered a new vulnerability in the Google Android mobile operating system that could affect every single Android smartphone that has been released since Android 1.6 “Donut” debuted in 2009, i.e. 900 million Android smartphones.

The bug allows a hacker to modify the Android APK code without breaking a mobile application’s cryptographic signature (used by Android to determine whether or not apps have been tampered with), meaning that any application can be turned into a Trojan without being noticed by the app store, user or the phone.

However, the risk is even greater when it comes to applications that have been developed by the device manufacturers or third-parties working together with the manufacturer.

These apps, such as Cisco’s enterprise “AnyConnect VPN”, are granted access to the System UID within the Android operating system.

According to a blog by Jeff Forristal, CTO of Bluebox Security, if a hacker is able to take control of an application with System UID access, a special privilege, then that Trojan app would be able to read all emails, SMS and documents, retrieve all stored account passwords.

Even more frightening, the malware would be able to take control of the phone’s functions to make phone calls, send SMS and turn on the camera.

It would also enable the hacker to link the compromised handset to other compromised handsets and create an “always-on, always-connected, and always-moving” botnet that could be used for big cyber attacks and corporate espionage as seen in the last two years with financial institutions, news organisations and government agencies on the Web.

Bluebox informed Google about the vulnerability back in February.

The most recent version of Android's OS is version 4.2, codenamed "Jelly Bean". Android version 2.3–2.3.2 "Gingerbread" remains the most widely used version of the mobile operating system.

Security software firm AVG are the creators of AVG AntiVirus, which is currently the most downloaded antivirus software for Android.

“AVG are aware of the latest threat which reports a vulnerability in Android OS. Although users downloading apps from Google Play are potentially safe, other Android stores may distribute infected apps signed by trusted certificates,” AVG’s CTO Yuval Ben-Itzhak told Mobile Europe.

“It is clear that this vulnerability impacts many of Android’s OS users worldwide and AVG are managing this threat in its research labs.”

Google has declined to comment.