A research team at Bluebox Security has found that all
Android phones released in the past four years have an operating system
vulnerability, which could allow complete control by hackers and malware to be
easily planted on a device.
The bug allows the APK code to be modified without breaking
the cryptographic signature of any application. This means that there is the potential
for any legitimate application to be turned into a malicious Trojan.
"A hacker can exploit the vulnerability for anything from
data theft to creation of a mobile botnet,” Jeff Forristal, Bluebox CTO said
in a blog post.
Potentially this means that the risk to enterprises and
individuals is huge, as a malicious app is capable of accessing personal data
or gaining entry into an enterprise network. It’s especially dangerous due to
its ability to alter legitimate apps, as those that are developed by
manufacturers work in cooperation with System UID access.
Manufacturer apps that are hacker controlled would then have
the ability to completely take over the devices, all of its apps, email, SMS,
passwords and documents and could be further used to create an "always on,
always connected, and always moving” network of mobile zombie devices to create
Bluebox reported the issue to Google back in February of
this year and say it’s now up to device manufacturers to produce and release
Mr Forristal will release technical details and related
tools in an upcoming talk at Black Hat USA
2013 . The talk will also cover details on how the bug was found and exactly
how it works and for those who can’t attend the talk, a follow up blog entry
will be posted on the Bluebox website.
The security company say that enterprises should encourage
all Android users on a BYOD scheme to install any available updates.
Additionally, Bluebox say that IT departments should "see this vulnerability as
another driver to move beyond just device managementto focus on deep
device integrity checking and securing corporate data.”