[caption id="attachment_67251" align="aligncenter" width="433"] Android Master Key Attack ‘Threatens Almost All Android Devices’
Researchers claim they can alter an Android application’s code without affecting the signature used to check the software’s validity[/caption]Newly Discovered Android Master Key Poses Monumental Security Threat
Systems administrators always preserves for themselves a backdoor entrance into any system even when such entrances are not supposed to exist. This is done to ensure their ability to support a system if all other means fail.
Did a rogue systems administrator do the same with the Android operating system? Security Research company BlueBox is reporting that they have uncovered a master key for the Android operating system that will allow a user unfettered access to the phone contents of any Android phone with O/S versions dating back to 2009. Um... isn't that EVERY Android phone? With the master key, a user can lift photographs, texts, videos, etc. from a phone.
The hacker can even use the phone to eavesdrop on private conversations.
Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were "huge".
While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access.
Forristal goes on to explain that the exploit can lead to the installation of a trojan:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
Google has made no comment on the merits of the claim. Apparently, BlueBox informed Google about this "feature" (IT politically correct parlance for a "bug") back in February. The Google Store now has an app that seeks to locate any rogue program attempting to exploit the master key security hole.
Thus far, no hacker has been found to have exploited the potential security breach, but some serious hacker street "cred" awaits the person(s) who can cause cyber-bedlam over this key.
-Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
-IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
[caption id="attachment_67250" align="aligncenter" width="375"] The screenshot demonstrates that Bluebox Security has been able to modify an Android device manufacturer’s application to the level that we now have access to any (and all) permissions on the device. In this case, we have modified the system-level software information about this device to include the name “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).
On The Web:
'Master key' to Android phones uncovered