Android ‘Master Key’ Security Hole Puts 99% Of Devices At Risk Of Exploitation

Mobile security startup Bluebox Security has unearthed a vulnerability in Android’s security model which it says means that the nearly 900 million Android phones released in the past four years could be exploited, or some 99% of Android devices. The vulnerability has apparently been around since Android v1.6 (Donut), and was disclosed by the firm to Google back in February. The Samsung Galaxy S4 has already apparently been patched.

It’s likely that Google is working on a patch for the vulnerability. We’ve reached out to the company for comment and will update this story with any response.

Bluebox intends to detail the flaw at the Black Hat USA conference at the end of this month but in the meanwhile it’s written a blog delving into some detail. The vulnerability apparently allows a hacker to turn a legitimate app into a malicious Trojan by modifying APK code without breaking the app’s cryptographic signature. Bluebox says the flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an app’s code, leaving its cryptographic signature unchanged — thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.

The flaw is made worse if an attacker targets a sub-set of apps developed by device makers themselves, or third parties — such as Cisco with its AnyConnect VPN app — that work closely with device makers and are granted system UID access. This sub-set of apps can allow a hacker to tap into far more than just mere app data, with the potential to steal passwords and account info and take over the normal running of the phone. Here’s how Bluebox explains it:

"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.

While 99% of Android phones being technically vulnerable to app hackers is a tough stat to ignore, it’s worth emphasising that just because such a flaw (apparently) exists it doesn’t mean it has or will be widely exploited — especially as, in this instance, it has been flagged to Google prior to being made public. And Google is presumably hard at work on a fix.

That said, the nature of the Android ecosystem does slow down the patching process. On the fix front, Bluebox notes that it will be up to device manufacturers to “produce and release firmware updates for mobile devices (and furthermore for users to install these updates)”, adding: “The availability of these updates will widely vary depending upon the manufacturer and model in question.”

Getting timely OS updates has always been a problem for Android users (Nexus owners are the exception), owing to Android’s openness necessarily encouraging variation and fragmentation within the ecosystem, with different manufacturer skins and carrier additions all standing in the way and delaying updates. That likely means the window of risk attached to this latest Android vulnerability takes longer to close for the majority of users than many would be comfortable with.

In the meantime, Bluebox advises the following:

• Device owners should be extra cautious in identifying the publisher of the app they want to download.
• Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
• IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.

Android is often linked with malware — not because there’s a high actual risk of users being infected with malware but because, in relative terms, it’s the biggest target for mobile malware writers, being as it’s the dominant mobile OS. It’s also not as locked down as some other mobile platforms, making it an easier target for hackers. Yet its worth stressing that mobile malware remains a very marginal risk, even for Android users, and especially if you’re a mainstream user getting your apps from the likes of Google Play, rather than alternative third-party app stores or routes.

This latest Android security flaw adds to the general low-level risk attached to using Android but how widely it ends up being exploited by malware writers remains to be seen — so how much more actual risk it introduces into the ecosystem is hard to quantify.

Update: According to a report in CIO, Google has already modified its Play Store’s app entry process so that apps that have been modified using this exploit are blocked and can no longer be distributed via Play.

Google Will Soon Launch Google Web Designer, A Free HTML5 Development Tool For Creating Web Apps, Sites And Ads

Google will soon launch Google Web Designer, an HTML5 development tool for “creative professionals.” The service, Google says, will launch within “the coming months” and is meant to “empower creative professionals to create cutting-edge advertising as well as engaging web content like sites and applications – for free.”

The company shared this news in a sidenote in a blog post about its DoubleClick advertising platform this morning. We reached out to Google to find out more about this project and a company spokesperson told me that Web Designer will indeed be a stand-alone product that’ll be aimed at creative agencies and designers.

This description obviously doesn’t give us much to go on, but Google notes that the tool will be integrated with DoubleClick Studio and AdMob. Google is clearly going after the “native” ads market, as well (think online brand experiences and sponsored stories), so the connection between Web Designer and DoubleClick makes sense. But it sounds like this tool will be quite a bit more capable and will go quite a bit beyond ads, though Google told me that it’s focus will be on creative advertising creatives.

Google’s only service for creating websites right now is Google Sites, which allows you to easily create basic sites and wikis from pre-built templates. That product has lingered without any meaningful updates for a while now, so maybe Web Designer will be a more sophisticated replacement for Sites’ editor. Update: Just to clarify: Web Designer is clearly not meant to be a website building service for now, but it’s easy to envision Google using at least parts of this product in some of its other apps, too.

It’ll be interesting to see how competitive Web Designer will be with tools like Square space weebly or Wix’s HTML5 website builder. When it comes to native formats for ads, the standard is now something more akin to the New York Time’s Snow Fall than just a basic site, so Google will have to step up its game if it wants to make it easy for marketers to create these kind of experiences.