99% of Android apps vulnerable to attackers without breaking signatures

Published July 5, 2013
Android Developers Conference 28 june 2012. — Reuters Photo
Android Developers Conference 28 june 2012. — Reuters Photo

The Android operating system has been vulnerable to hackers for the past four years, allowing them to modify or manipulate any legitimate application and enabling them to transform it into a Trojan program.

These Trojan programs can further be used to steal data or take control of the OS.

Researchers at Bluebox Security, a mobile security startup firm in San Francisco, uncovered the flaw and will be addressing the issue in detail at the Black Hat USA security conference in Las Vegas in coming weeks.

The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed application packages (APKs) without breaking their signatures.

When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.

The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said in a blog post.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.

Opinion

Who bears the cost?

Who bears the cost?

This small window of low inflation should compel a rethink of how the authorities and employers understand the average household’s

Editorial

Internet restrictions
Updated 23 Dec, 2024

Internet restrictions

Notion that Pakistan enjoys unprecedented freedom of expression difficult to reconcile with the reality of restrictions.
Bangladesh reset
23 Dec, 2024

Bangladesh reset

THE vibes were positive during Prime Minister Shehbaz Sharif’s recent meeting with Bangladesh interim leader Dr...
Leaving home
23 Dec, 2024

Leaving home

FROM asylum seekers to economic migrants, the continuing exodus from Pakistan shows mass disillusionment with the...
Military convictions
Updated 22 Dec, 2024

Military convictions

Pakistan’s democracy, still finding its feet, cannot afford such compromises on core democratic values.
Need for talks
22 Dec, 2024

Need for talks

FOR a long time now, the country has been in the grip of relentless political uncertainty, featuring the...
Vulnerable vaccinators
22 Dec, 2024

Vulnerable vaccinators

THE campaign to eradicate polio from Pakistan cannot succeed unless the safety of vaccinators and security personnel...