Bluebox: Android Security Bug Could Leave Virtually All Devices Open To Hackers

'Master Key' Android Bug Could Leave Virtually All Devices Open To Hackers
An Android operating software icon sits on display with a Google Inc. logo at the Google booth at the Mobile World Congress in Barcelona, Spain, on Wednesday, Feb. 29, 2012. The Mobile World Congress, operated by the GSMA, expects 60,000 visitors and 1400 companies to attend the four-day technology industry event which runs Feb. 27 through March 1. Photographer: Denis Doyle/Bloomberg via Getty Images
An Android operating software icon sits on display with a Google Inc. logo at the Google booth at the Mobile World Congress in Barcelona, Spain, on Wednesday, Feb. 29, 2012. The Mobile World Congress, operated by the GSMA, expects 60,000 visitors and 1400 companies to attend the four-day technology industry event which runs Feb. 27 through March 1. Photographer: Denis Doyle/Bloomberg via Getty Images
Getty

A potentially catastrophic security flaw has been found that could leave virtually every Android device open to hackers.

According to researchers at Bluebox Security, the 'master key' issue is fundamental to the way Google's open mobile operating system works - and only one device has so far been patched.

The issue apparently affects all versions of Android since version 1.6, meaning up to 900 million devices could be vulnerable to the flaw.

The method demonstrated by Bluebox would let app developers modify an update to a legitimate app to look like a system file, which can then be used to take control of a phone. With the right signature disguising its real motives, the update could log passwords, credit card information, photos, emails - essentially anything on your mobile device.

"The implications are huge," Bluebox explains on its website.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

It adds:

"All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn't been tampered with or modified. This vulnerability makes it possible to change an application's code without affecting the cryptographic signature of the application - essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been."

The bug was reported to Google in February, Bluebox CTO Jeff Forristal says, but it's up to device makers and mobile networks to develop, issue and install the updates.

So far only the Galaxy S4 is not affected - indicating that patches are being worked on, but are not widely available.

Bluebox recommends that users of Android devices be extra cautious in downloading only apps where they are sure of the content, and wants businesses to prompt all uses to keep their devices updated.

As for Google themselves, Engadget reports that they had "no comment" about the Bluebox report.

Close

What's Hot