A much-reported security flaw in Android allegedly renders “99 per cent of devices vulnerable” to malware attack. But before you panic and start disconnecting every Android device in sight from your corporate networks, a little investigation might be in order.
Phones picture from Shutterstock
In a blog post, security consultant Bluebox revealed that earlier this year, it discovered a bug in Android that made it possible (in theory) to alter the code in a given Android APK (the file in which an application is packaged) in such a way that the alteration was not obvious to Android’s built-in checking systems. Android uses a cryptographic signature to check that code hasn’t been altered; Bluebox says the bug makes it possible to alter the code without this change being registered.
Bluebox hasn’t issued a detailed description yet of how the vulnerability works; this will apparently be disclosed at the US Black Hat conference at the end of July. And that’s a crucial point: the issue hasn’t been spotted in the wild, and a detailed description of how to exploit the vulnerability has not been issued.
Bluebox says it notified Google of the issue in February and that patching of specific device versions of Android has commenced. It seems probable that the scheduled conference date means that patches for many newer phones will be available before that date; it’s considered very bad form in security circles to disclose details of vulnerabilities without giving the software’s developer a chance to patch the issue. Bluebox’s own post notes:
It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.
The complication for Android is that many older phones can’t be upgraded without rooting the device, or simply can’t be upgraded at all. Those devices are likely to remain vulnerable once details of the exploit are more widely known.
Crucially, altering an Android application can change its behaviour, but doesn’t alter the permissions which it already has. If a given app doesn’t have permission to access your camera, this hack won’t change that.
Good security practice for Android requires actually checking the permissions associated with an app; if there’s no obvious reason why an app should need permission to make phone calls, for instance, then installing one that asks for that permission is unwise.
The Bluebox blog post highlights that the major risk for most Android owners will occur if the custom apps added by many phone manufacturers are hacked. Those custom UIs typically have full system access, so the scope of malicious behaviour will be much broader. As Bluebox puts it: “Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed.”
The big lesson here: devices running stock Android are at less risk (as well as being, for the most part, less annoying).
How to respond
While there is a lot of ill-informed panicked advice out there telling users not to install any non-Google apps for the time being, this is an overreaction. Users running Android security software which checks for suspicious behaviour (rather than solely relying on signatures) will be far less vulnerable, since those activities will be flagged by the software.
The issue highlights one of the oldest lessons in IT security: keep your devices patched and up-to-date. This is sensible for everyone, but essential in environments where phones are given access to potentially sensitive data.
Best practice for IT management dictates not just protecting apps, but encrypting data. Bluebox itself makes the point well: “IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.” If your workplace security policy consists of nothing more than telling people they are responsible for their own devices, your problems run a lot deeper than a newly-discovered vulnerability.