New Android 'vulnerability detected'
Dubai, July 14, 2013
Security researchers have discovered a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it, a report said.
Almost all Android devices are vulnerable, as the vulnerability has existed since Android 1.6 (Donut), and currently only the Samsung Galaxy S4 has been patched to protect against it, said the Trend Micro statement.
The vulnerability is known in some quarters as the “master key” vulnerability.
The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.
This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.
This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with much permission – like those from the phone’s manufacturer or the user’s service provider – are at particular risk, it said.
Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.
Trend Micro has updated its Mobile App Reputation Service to detect apps that abuse this vulnerability. "For users of Trend Micro Mobile Security, we have released an update to the pattern to ensure that we will detect apps that target this particular vulnerability. (All users with pattern version 1.513.00 or later are covered.) This is sufficient to ensure that our users are protected from this threat," said the statement.
"We strongly suggest disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices," it said.
Google has taken some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat, it said. - TradeArabia News Service
Tags: Android |
More IT & Telecommunications Stories
- Talia seals new partnership with Thuraya
- 4-pillar approach for telecom operators to boost growth
- Dubai mobile emissions below global standards
- Nawras signs capacity contract with SES
- Etisalat showcases satellite solutions at Cabsat
- Batelco launches 4G LTE roaming
- Gulf Air clinches best innovation award
- Viva inks Pepsi partnership deal
- Du offers free smarphones on tablet purchase
- Batelco launches double credit promotion
- Cyber threats focus of Bahrain security talks
- Bahrain tech expo to honour innovators
- Scope ME named distributor for InfoWatch
- Nawras quadruples 3G+ mobile services
- Menatelecom expands bill paying network
- Du joins new global cable consortium
- Kuwait moves to create telecoms watchdog
- Batelco backs Royal Fund for Martyrs
- Egypt's Global Telecom posts $749m Q4 loss
- Red Hat launches open source BPM suite
- Batelco announces new board
- Batelco offers improved broadband
- You don't own phone numbers, warns TRA
- Tech giants back top Qatar ICT event
- Du to provide wifi access in public areas
- Zain finalises $800m, five-year loan facility
- Ooredoo Q4 net profit falls 36pc to $140m
- Mobily, Etisalat team up for LTE roaming
- Batelco approves $84m dividends for 2013
- Etisalat Q4 profit rises 70pc to $394m