WP: Android security flaw affects 99 percent of phones, researcher says

http://www.washingtonpost.com/business/technology/android-security-flaw-affects-99-percent-of-phones-researcher-says/2013/07/05/5a931a36-e56b-11e2-aef3-339619eab080_story.html

Android security flaw affects 99 percent of phones, researcher says

By Hayley Tsukayama

7/5/2013

Security researchers believe they have found a major security flaw in the Google's Android mobile operating system, which could affect up to 99 percent of Android phones now in consumers' hands.

In results published [1] Wednesday by the Bluebox Security research firm, chief technology officer Jeff Forristal said the flaw gave hackers a "master key" into the Android system.

Google declined to comment on the report.

The problem lies in the security verification process that has been used on the Google Play applications store since the release of Android 1.6. It could leave up to 900 million devices open to hackers. The flaw, the research firm said, is a weakness in the way that Android applications verify changes to their code. The weakness would allow hackers to "turn any legitimate application into a malicious Trojan" without flagging the attention of Google's app store, a mobile phone or the person using an application.

The result, researchers said, would be that anyone who breaks into an app this way would have access to the data that app collects and -- if an app made by the device manufacturer gets exploited -- could even "take over normal functioning of a phone."

In the post, Forristal said that Bluebox reported the security flaw to Google in February. In an interview with CIO, [2] he said that some manufacturers have already released fixes for the problem, specifically naming the Samsung Galaxy S4.

Security is a common concern on Android phones, in part because the open nature of the system also means that it's easy for anyone to find out how it works. Android is the OS of choice for 75 percent of the world's smartphones, IDC reported in May. But a report released in March [3] from the F-Secure security firm found that 79 percent of all mobile malware found in 2012 was running on Android phones.

This problem is exacerbated by the fact that so many smartphone manufacturers use their own versions of the Android operating system, [4] making it more difficult to get system updates that may include security fixes out to customers.

[1] http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

[2] https://www.cio.com.au/article/466577/vulnerability_allows_attackers_modify_android_apps_without_breaking_their_signatures/

[3] http://articles.washingtonpost.com/2013-03-08/business/37554452_1_android-phones-malware-malicious-apps

[4] http://www.washingtonpost.com/business/technology/android-phones-vulnerable-to-hackers/2013/02/01/f3248922-6723-11e2-9e1b-07db1d2ccd5b_story.html