New Android 'vulnerability detected'
Dubai, July 14, 2013
Security researchers have discovered a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it, a report said.
Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it, said the Trend Micro statement.
The vulnerability is known in some quarters as the “master key” vulnerability.
The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.
This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.
This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with much permission – like those from the phone’s manufacturer or the user’s service provider – are at particular risk, it said.
Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.
Trend Micro has updated its Mobile App Reputation Service to detect apps that abuse this vulnerability. "For users of Trend Micro Mobile Security, we have released an update to the pattern to ensure that we will detect apps that target this particular vulnerability. (All users with pattern version 1.513.00 or later are covered.) This is sufficient to ensure that our users are protected from this threat," said the statement.
"We strongly suggest disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices," it said.
Google has taken some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat, it said. - TradeArabia News Service