MOBILE SECURITY/PEN TESTING MOBILE DEVICES…ANDROID SECURITY HOLES
“Did you know that a whopping 99 percent of all mobile malware in 2013 targeted ANDROID devices? Android users also have the highest encounter rate, (71 percent) with all forms of web-delivered malware?
Mobile security research conducted over the last twelve months has unearthed a vulnerability in Android’s security model which it says means that the nearly 900 million Android phones released in the past four years could be exploited, or some 99% of Android devices. The vulnerability has apparently been around since Android v1.6 (Donut), and was disclosed by the firm to Google back in February of 2013. The Samsung Galaxy S4 has already apparently been patched.
The vulnerability apparently allows a hacker to turn a legitimate app into a malicious Trojan by modifying APK code without breaking the app’s cryptographic signature. The flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an app’s code, leaving its cryptographic signature unchanged — thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.
The flaw is made worse if an attacker targets a sub-set of apps developed by device makers themselves, or third parties — such as Cisco with its AnyConnect VPN app — that work closely with device makers and are granted system UID access. This sub-set of apps can allow a hacker to tap into far more than just mere app data, with the potential to steal passwords and account info and take over the normal running of the phone. Here’s how it is done:
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
While 99% of Android phones being technically vulnerable to app hackers is a tough stat to ignore, it’s worth emphasizing that just because such a flaw (apparently) exists it doesn’t mean it has or will be widely exploited — especially as, in this instance, it has been flagged to Google prior to being made public. And Google is presumably hard at work on a fix.
That said, the nature of the Android ecosystem does slow down the patching process. On the fix front, it will be up to device manufacturers to “produce and release firmware updates for mobile devices (and furthermore for users to install these updates)”, adding: “The availability of these updates will widely vary depending upon the manufacturer and model in question.”
The Saturn Partners (www.saturnpartners.com) has over a dozen years addressing security issues involving mobile devices in use in several industries including retail, banking, health care, utilities, education and others. Please visit us at our website, email us at email@example.com for more information on security your mobile environment through assessments and development of a state of the art security environment for the mobile workplace.