99% of Android Phones Vulnerable to Hackers

News Article - Friday, 05 July 2013 11:25

By: Kerry Butters Category: Security

A research team at Bluebox Security has found that all Android phones released in the past four years have an operating system vulnerability, which could allow complete control by hackers and malware to be easily planted on a device.

The bug allows the APK code to be modified without breaking the cryptographic signature of any application. This means that there is the potential for any legitimate application to be turned into a malicious Trojan.

"A hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” Jeff Forristal, Bluebox CTO said in a blog post.

Potentially this means that the risk to enterprises and individuals is huge, as a malicious app is capable of accessing personal data or gaining entry into an enterprise network. It’s especially dangerous due to its ability to alter legitimate apps, as those that are developed by manufacturers work in cooperation with System UID access.

Manufacturer apps that are hacker controlled would then have the ability to completely take over the devices, all of its apps, email, SMS, passwords and documents and could be further used to create an "always on, always connected, and always moving” network of mobile zombie devices to create a botnet.

Bluebox reported the issue to Google back in February of this year and say it’s now up to device manufacturers to produce and release firmware updates.

Mr Forristal will release technical details and related tools in an upcoming talk at Black Hat USA 2013 . The talk will also cover details on how the bug was found and exactly how it works and for those who can’t attend the talk, a follow up blog entry will be posted on the Bluebox website.

The security company say that enterprises should encourage all Android users on a BYOD scheme to install any available updates. Additionally, Bluebox say that IT departments should "see this vulnerability as another driver to move beyond just device managementto focus on deep device integrity checking and securing corporate data.”

Recent Articles