androidUPDATE: According to a report by IDG News Service, Google has patched the Google Play store so that trojans attempting to exploit this flaw can’t be downloaded from its store. However, those same protections don’t extend beyond Google’s store.

Android users, beware: there’s a very high chance you’re vulnerable to a trojan horse that could allow attackers to take over your phone.

Bluebox Security has found what they called in a blog post the “master key” to Android: a flaw that allows attackers access to all of the functions of an Android phone.

Jeff Forristal, CTO of Bluebox Security, says that the flaw “(allows) for APK code modification without breaking (an application’s) cryptographic signature.” In other words, an attacker can create a very, very, convincing Trojan Horse. According to Bluebox, all devices running Android 1.6 “Donut” or higher are vulnerable to attack.

This is a serious exploit, that allows for incredible amounts of access to the victim’s device. Here’s how Forristal put it:

Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.

Bluebox disclosed the flaw, known as Android security bug 8219321, to Google in February of this year. Now it’s up to manufacturers to produce firmware updates that patch it, and it’s up to carriers to push out those firmware updates.

Needless to say, this is very scary stuff. Bluebox recommends that users keep the firmware on their devices up to date to ensure that they will have the fix when carriers push it out. Until those updates go out, Forristal recommends that “Device owners should be extra cautious in identifying the publisher of the app they want to download.”

Forristal will be discussing the flaw in a talk at this year’s Black Hat conference in Las Vegas.

Related: Why I won’t buy another subsidized Android phone (and why you shouldn’t, either)

Comments

  • Matthew Reynolds

    Well, yes. Once an application is signed with the handset key, it will have access privileges for the rest of the device, including accessing and modifying files, sending events to other applications, and listening to input. It’s like installing an application in unix which has ‘run-as-root’ authority.

    Of course, getting the manufacturer’s handset private key might be a little difficult for your average hacker.

    • Deadward Blowden

      I bet NSA’s got ‘em.

  • Guest

    99%, unless you they Google Play Store…which is 99% of Android users. So really less than 1% are vulnerable.

    • Guest

      ‘they use’

  • http://www.contractphoneswithfreegifts.com/ Richard Querrey

    Blown out of proportion this. Yes it’s an exploit but I can’t see it getting taken advantage of that easily.

Job Listings on GeekWork