22.32KB
36 downloads
A critical vulnerability that affects an estimated 99% of the Android devices now in operation could allow attackers to use exploit code to easily infect devices with a Trojanized version of a legitimate app.
Last week, researchers from Bluebox Security have made a disconcerting revelation: Google's Android mobile OS carries a critical bug that allows attackers to modify the code of any app
without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on legitimate app stores and users' phones.
The demo, here , occupies just 32 lines of shell script – it doesn't actually plant malware into the target code, it merely allows an app to masquerade under another app's identity.
Information about the flaw, which was discovered earlier this year, was shared with Google in February 2013, and has already been fixed. But the main problem is, as stated numerous times, that device manufacturers and carriers are unlikely to be very prompt in pushing out patched Android versions to users, and users of older devices already don't receive receive security updates.
The good news is that the bug hasn't, so far, been spotted being exploited in the wild, but that might soon change as security researcher Pau Oliva published has proof-of-concept code that can exploit it.
Oliva, who is a mobile security engineer at viaForensics, says that he has created the POC after reading details about the bug in a publicly available Cyanogenmod report. The developers of the popular modified Android firmware have already pushed out a patch for it.
Google maintains its advice that users should stay away from third-party Android app markets.
VIA:
