99% of Android apps vulnerable to attackers without breaking signatures

Published July 5, 2013
Android Developers Conference 28 june 2012. — Reuters Photo
Android Developers Conference 28 june 2012. — Reuters Photo

The Android operating system has been vulnerable to hackers for the past four years, allowing them to modify or manipulate any legitimate application and enabling them to transform it into a Trojan program.

These Trojan programs can further be used to steal data or take control of the OS.

Researchers at Bluebox Security, a mobile security startup firm in San Francisco, uncovered the flaw and will be addressing the issue in detail at the Black Hat USA security conference in Las Vegas in coming weeks.

The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed application packages (APKs) without breaking their signatures.

When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.

The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said in a blog post.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.

Opinion

Editorial

Kurram atrocity
Updated 22 Nov, 2024

Kurram atrocity

It would be a monumental mistake for the state to continue ignoring the violence in Kurram.
Persistent grip
22 Nov, 2024

Persistent grip

An audit of polio funds at federal and provincial levels is sorely needed, with obstacles hindering eradication efforts targeted.
Green transport
22 Nov, 2024

Green transport

THE government has taken a commendable step by announcing a New Energy Vehicle policy aiming to ensure that by 2030,...
Military option
Updated 21 Nov, 2024

Military option

While restoring peace is essential, addressing Balochistan’s socioeconomic deprivation is equally important.
HIV/AIDS disaster
21 Nov, 2024

HIV/AIDS disaster

A TORTUROUS sense of déjà vu is attached to the latest health fiasco at Multan’s Nishtar Hospital. The largest...
Dubious pardon
21 Nov, 2024

Dubious pardon

IT is disturbing how a crime as grave as custodial death has culminated in an out-of-court ‘settlement’. The...