Ninety-nine percent of Android phones contain a “master key” flaw that allows hackers to access all apps inside the phone, according to Jeff Forristal, CTO of Bluebox Security.
The flaw leaves Android phones massively vulnerable to
, botnets and computer fraud, he claims in a blog post:
The implications are huge!
… Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).
Google was alerted to the flaw in February, Forristal told the Black Hat USA conference for internet security experts.
The flaw is conceptually very simple, at least the way Forristal explains it. The flaw allows an app’s “application package file” — its software, basically — to be changed without changing the app’s cryptographic signature. So the app reads as genuine even though it has been altered by hackers or malware. Forristal writes:
All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.
The flaw has existed since 2009, according to Endgadget.
Google has so far declined comment. We’ll update this item if the company makes a statement.
The good news, according to CIO, is that Google has fixed the Google Play app store so that it will not allow apps that are vulnerable to the flaw. But apps downloaded from non-Google third parties remain vulnerable.