Google Sticks a Thumb in Android Security Dike
The very thing that makes Android so desirable -- it's freedom from the constraints of an overlord -- also can make it pretty uncool at times. When it comes to security, there's no way to deliver a patch to all Android users simultaneously. Google maintains there's been no sign that a critical flaw was exploited before a patch was issued -- but maybe the other shoe hasn't yet dropped.
Jul 9, 2013 4:44 PM PT
Lumbering like the old-school technology firms it sometimes derides, Google has finally issued a patch for a master key vulnerability in Android that Bluebox called to its attention back in February.
"Is Google eating their own dog food?" asked Randy Abrams, a research director at NSS Labs.
In May, Google security engineers stated that the company's standing recommendation was to have critical vulnerabilities fixed within 60 days and those being actively exploited should be fixed within seven days, he noted.
The vulnerability, Android security bug 8219321, lets attackers modify Android apps into Trojan apps without breaking their APK signature. APK is the file format used to distribute and install application software and middleware onto Android.
"Antivirus manufacturers do not catch this," Bluebox cofounder Adam Ely told TechNewsWorld.
Bluebox on Tuesday released a scanning tool that will search for this vulnerability on Android devices and see if any malicious apps have been installed. It's available for free on Google Play.
Google confirmed that a patch had been provided to its partners.
"Some OEMs, like Samsung, are already shipping the fix to their Android devices," spokesperson Gina Scigliano told TechNewsWorld.
What the Vulnerability Does
The master key vulnerability essentially lets malicious code sneak onto Android under the cover of legitimate apps. It apparently lets malicious code duplicate a legitimate app's APK file name so the app will then have two APK file names.
Android records the digital signature of any app installed on it and checks incoming apps against that signature to verify that they're legit. So, when an infected app with two APK file names is encountered, the legitimate file name is verified, but the file carrying the malicious payload, which bears the duplicate name, is allowed to install.
"The user never knows this occurs," Bluebox's Ely said.
Bluebox will disclose technical details of how the vulnerability is exploited at Black Hat USA 2013, to be held in Las Vegas later this month.
Staying Safe With Google, More or Less
Google Play scans apps in the store for this master key vulnerability, Scigliano said.
Also, Android 4.2, the latest version of Jelly Bean, includes an app verification feature that scans downloads for malware, so users with devices running it can download apps from other app stores safely.
"We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools," noted Scigliano.
However, the vulnerability exists in all earlier versions of Android starting with 1.6, aka "Donut," Bluebox's Ely pointed out.
Jelly Bean now runs on about 38 percent of Android devices -- but roughly just 6 percent of them run version 4.2. That leaves a lot of users potentially vulnerable.
On the other hand, said Ely, "we hope we caught this early enough that there won't be widespread damage."
Making Devices Kosher
It's up to Google's OEM partners now to fix their systems, and Samsung's Galaxy S4 reportedly has been patched.
Android device owners shouldn't take anything for granted, though.
"If I had an S4, I would validate that for myself," NSS Labs' Abrams told TechNewsWorld. "Neither my two-month-old T-Mobile Samsung Galaxy S Relay nor a colleague's month-old Google Nexus 4 device have been patched."
Android and Security
Android's greatest strengths -- the frequent updates and Google's laissez faire policy, which lets manufacturers tweak the OS as they will -- are also its greatest weaknesses, because they have led to the operating system's fragmentation. There are six versions of Android earlier than Jelly Bean, which itself now comes in two flavors. Gingerbread comes in five flavors and Ice Cream Sandwich in two.
It's widely known that a patch for one version of Android -- or one flavor of a version -- may not be applicable to another version or flavor.
"Android is hampered through the inability of manufacturers and providers to effectively collaborate in providing updates to users," NSS Labs' Abrams pointed out.
Users should install apps only from highly trusted app stores, Abrams recommended.
Companies that have a BYOD policy should educate employees about the risk of downloading apps from alternative stores, he advised, and implement policies limiting the stores from which employees can download apps.