To Customer Support To Customer Support
Solved

'Master key' to Android phones uncovered

Jasper_The_Rasper
Rank
Userlevel 7
Badge +54
A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.
The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.
The loophole has been present in every version of the Android operating system released since 2009.
 
Full Story - http://www.bbc.co.uk/news/technology-23179522
icon

Best answer by DanP 16 July 2013, 19:08

View original

6 replies

shorTcircuiT
Rank
Userlevel 7
"One other hurdle is that in order to catch out Android users, malicious hackers would have to get their booby-trapped version of a legitimate application on to the Google Play store"
 
Not so fast on that one... actually that can be avoided.  Tricking the customer into disabling the security of "Do not allow third party apps" would evade that.  Now I know most consumers should be smart enough to not do that... but you know that if well worded people can be tricked into a whole lot of things.  
 
HUGE hole that does need attention... but I wonder this: would the Webroot Andriod app protect against this kind of an exploit?
DanP
Rank
Userlevel 7
Badge +35
Not surprisingly, some information has been left out of most articles covering this.
 
"Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said."
 
https://www.cio.com.au/article/466577/vulnerability_allows_attackers_modify_android_apps_without_breaking_their_signatures/
 
As DaivdP suggested, making sure that you do not have the option to allow installation from unknown sources enabled will help protect you from this exploit.
 
Vendor and Certificate spoofing is very common among Android malware. This exploit may go beyond what is already being used, but we look at what the app is actually doing, so the digital signature doesn't mean much if the app has obvious malicious intent.
 
-Dan
Webroot Threat Research
shorTcircuiT
Rank
Userlevel 7
Dan,

Great reply, and really just what I expected 🙂 thanks for weighing in!
JimM
Userlevel 7
Our Security Intelligence Director, @ was recently quoted in a related article on this topic.  That article is available here.
The key to mobile security is to protect devices from all sides. Consumers and businesses should ensure they have the four corners of mobile security covered: identity protection to protect passwords and other personal information; the ability to automatically block mobile threats from malware and malicious apps, an in-built device locator which helps find your mobile phone if stolen and finally the system installed should be designed to ensure the usability of the device is not forfeited in the name of security – users are more likely to ignore security protection if it hampers the rich features of their device. With these four pillars in place, you form a strong line of defense against cybercrime which will go some way to protecting against the potential threat of the “master key.”
/// JimM /// /// Former Community Manager - Now Humble Internet Citizen/// /// Also Formerly a Technical Support Escalations Engineer ///
DanP
Rank
Userlevel 7
Badge +35
Update: We have released a patch for the "Master Key" bug in the latest version of Webroot SecureAnywhere Mobile.
 
More info here:
 
Master Key Bug Patch – Webroot SecureAnywhere Mobile Update on Google Play Now
 
 
-Dan
Webroot Threat Research
R
Rank
Userlevel 7
The following article is a updated on Android Phones Bug
 
(Android bug lets apps make rogue phone calls)
 
By/ By Lucian Constantin | IDG News Service Posted on July 7 2014
 
A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.
The flaw was found and reported to Google late last year by researchers from Berlin-based security consultancy firm Curesec, who believe it was first introduced in Android version 4.1.x, also known as Jelly Bean. The vulnerability appears to have been fixed in Android 4.4.4, released on June 19.
 
InforWorld/ Full Read Here/ http://www.infoworld.com/d/security/android-bug-lets-apps-make-rogue-phone-calls-245669

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.