Massive Android flaw leaves 99% of devices vulnerable
Discovery by security firm BlueBox offers a 'master key' to hackers
Thursday 04 July 2013
Security researchers have discovered a dangerous flaw in Google’s Android operating system that allows hackers to take full control of smartphones running the OS. The team behind the discovery – Bluebox Security – claim that “99% of devices” are vulnerable.
In a post on their website detailing their research Bluebox CTO Jeff Forristal says that the mistake has been present since the release of Android 1.6 in September 2009, potentially affecting nearly 900 million devices.
The vulnerability is based in “discrepancies” in how Android verifies and installs third party software (whether that is built by developers or by manufacturers). The cryptography guaranteeing that the apps have not been tampered with or modified has been found to be deficient.
“[A malicious application] not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone,” said Forristal.
“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.”
Despite this, the fact that the loophole has been discovered by independent research and not as an investigation of any particular malware is comforting – meaning that malicious exploitation of the flaw is so far only hypothetical.
Bluebox notified Google of the flaw in February 2013 but did not detail how the company had responded to the threat. “It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates),” said Forristal.
Google have so far declined to comment.
Life & Style blogs
iPhone 6 will function as 'mobile wallet' following Apple deal with Visa - reports
Half of young women unable to ‘locate vagina’ and 65% find it difficult to say the word
Is Apple's iCloud safe after leak of Jennifer Lawrence and other celebrities' nude photos?
David Sedaris: What I learnt from Fitbit about the world around me
Anal sex study reveals climate of 'coercion'
Rotherham child sex abuse scandal: Labour Home Office to be probed over what Tony Blair's government knew - and when
What do immigrants really think of Britain? Polish immigrant's Reddit post goes viral
Ashya King: Parents of five-year-old boy refused permission to visit him in hospital and denied bail at Spanish court
With Douglas Carswell joining Ukip, my party has taken another giant step forward
When elitism grips the top of British society to this extent, there is only one answer: abolish private schools
Ashya King: 'Cruel NHS has not given us the treatment we need', says father of five-year-old with brain tumour who fled to Spain
- 2 Saudis risk new Muslim division with proposal to move Mohamed’s tomb
- 3 A teacher speaks out: 'I'm effectively being forced out of a career that I wanted to love'
- 4 Cee Lo Green: It is only rape if the victim is conscious
iJobs Gadgets & Tech
£40000 - £45000 per annum + Benefits + Bonus: Harrington Starr: Front-Office D...
£40000 - £50000 per annum + Benefits, Training & Bonus: Harrington Starr: C# S...
£35000 - £36500 per annum: Ashdown Group: Systems Administrator (SharePoint) -...
£600 - £800 per day: Harrington Starr: Derivatives Risk Commodities Business A...