Google Play Misses Dangerous Apps at Border Control

Despite yeoman efforts by Google to close a critical hole in its Android mobile operating system that allows any app to be turned into a malicious Trojan, programs are still appearing in the company’s Google Play store with the flaw.

A number of apps containing the so-called MasterKey vulnerability were discovered by cybersecurity firm Bitdefender last week.

“There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface,” Bogdan Botezatu, a senior e-threat analyst with Bitdefender, wrote in a blog post.

“This means that the applications are not running malicious code — they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” he added.

Although the infected apps are benign, they raise serious questions about the ability of Google Play to protect its customers from the bug.

“This kind of app should not work in the first place,” Botezatu told TechNewsWorld. “It should not be making it to the Google Play store.”

Free Fix

The inclusion of the flaw is likely an oversight by the developers of the apps — but it’s nevertheless disturbing, said Webroot Security Intelligence Director Grayson Milbourne.

“Google Play’s miss in the detection of these apps is evidence that we can’t rely on using that market to stay safe,” he told TechNewsWorld.

Google did not respond to our request to comment for this story.

Google has released a fix for the MasterKey vulnerability, but many Android users may still remain at risk.

“While Android 4.2 users may have the fix from Google, there are still thousands of Android users with older devices that aren’t capable of upgrading to that OS and will never get that patch,” Milbourne noted.

To address that problem, Webroot last week released a free version of its SecureAnywhere Mobile fogtwware that will address the MasterKey vulnerability in older versions of Android.

Unholy Trinity

Although Google acted quickly to address the MasterKey flaw, it remains to be seen how quickly its fixes will reach Android users.

Google, the handset makers and the wireless carriers represent an “unholy trinity” in the Android world that prolong the exposure of users to exploitable vulnerabilities, maintains Randy Abrams, aresearch director for NSS Labs.

“Not only are users marooned in obsolete versions of the Android operating system that do not include the most recent security enhancements, but those with current versions of the operating system are left in jeopardy for unjustifiably long periods of time,” he told TechNewsWorld.

The Google-OEM-carrier troika needs to assign and coordinate security teams that specify reasonable time frames for operating system upgrades to be made available for devices, Abrams argued, with the power to support newer OSes or with patches where OS upgrades are unfeasible.

If upgrades and updates are not provided in a reasonable time frame, then a penalty should be imposed on the responsible parties, he suggested.

“The unholy trinity can figure out amongst themselves who is responsible for the delay and how much, but meaningful remuneration to customers should be required in order to provide economic incentive for responsible security practices,” added Abrams.

BYOD Policies

The Bring Your Own Device movement appears to be spreading faster than security pros can keep up with it.

Almost 60 percent of organizations surveyed either didn’t have a policy that specified how employees may use their own devices in the workplace (41 percent) or were just planning to write such a policy, found a study released last week by Acronis and the Ponemon Institute.

Putting together a good BYOD policy should involve not only an IT department, but also Human Resources, observed Amtel CEO PJ Gupta.

“You may need special HR policies to govern what content is suitable on a personal device being used in the workplace,” he told TechNewsWorld.

An organization may also want to include some kind of geofencing in the policy.

“That means if a device comes inside a workspace, then certain functions will stop working,” Gupta said.

A BYOD policy should also convey to employees what’s expected of them when they use their own device and have corporate data on it. Cisco, for instance, has a “trusted device standard” made up of nine elements for employees using their devices on the job.

“They’re not onerous,” said Steve Martino, vice president of information security and acting CISO of Cisco.

“They’re straightforward things like have antivirus, encrypted disk, password with a screenlock,” he told TechNewsWorld. “They’re the kinds of things people should already be doing for their personal device.”

Breach Diary

  • July 15. New York Office of Medicaid Inspector General reports that an employee exposed the records of 17,743 records of Medicaid recipients by mailing the information to a personal email account.
  • July 17. International Organization of Securities Commissions and the World Federation of Exchanges releases study revealing that 53 percent of the stock exchanges surveyed by the organization had been hit by cyberattacks. The most common assaults were Distributed Denial of Service attacks.
  • July 17. University of Virginia reveals Social Security numbers of 18,700 students were exposed on the address labels of open enrollment materials mailed to students by its healthcare provider.
  • July 17. Brian McCarthy, former supervisor at the Federal Reserve Bank of Chicago, pleads guilty to a federal misdemeanor charge for stealing computer files containing confidential information relating to the bank’s responsibility to assess and monitor its credit risk exposure.
  • July 18. Nasdaq alerts members of its community forums that their passwords have been reset due to a data breach that may have compromised the members’ passwords, email addresses and usernames. No trading or commerce platforms were affected by the breach, Nasdaq said.
  • July 18. Perkins Cole releases annual free report of state-by-state analysis of data breach notification laws.
  • July 18. U.S. House Energy and Commerce subcommittee on Commerce, Manufacturing and Trade holds public hearing on bills to establish a national data breach notification law that would supplant existing state laws.

Upcoming Security Events

  • July 24. Cyber Security Brainstorm. Newseum, Washington, D.C. Registration: non-government employees US$495; July 24, $595.
  • July 24. Impact of Prism on Digital Trade. 12:00-1:30 p.m. ET. Information Technology and Innovation Foundation, 1101 K Street, Washington, D.C. Free with registration.
  • July 24. New Trends in Advanced Persistent Threats. 2 p.m. ET. Webinar sponsored by Palo Alto Networks. Free with registration.
  • July 24. Four Phases of Every Attack. 2 p.m. ET. Webcast sponsored by McAfee. Free with registration.
  • July 25. Defending the Enterprise Edge: The Role of On-Premise and Cloud DDoS Protection. 1 p.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • July 25. Wireless Security: Beyond the Basics. 2-3 p.m. ET. Webinar by Dark Reading. Free with registration.

  • July 25. Whistleblowers, Journalists and the New War Within. 8:30-11 a.m. National Press Club, 529 14th Street NW, Washington, D.C. Panel discussion. Free.
  • July 27-Aug. 1. Black Hat USA 2013. Caesars Palace, Las Vegas. Registration: June 1-July 24, $2,195; July 25-Aug. 1, $2,595.
  • Aug. 1-4. Def Con 21. Rio Hotel and Casino, Las Vegas. Registration: $180.
  • Aug. 12-14. AIAA Aviation 2013: Focus on Cyber Threats to Airline Industry. Hyatt Regency Century Plaza, Los Angeles. Sponsored by American Institute of Aeronautics and Astronautics. Registration: By July 26, $1,000 non-member; $840 members. July 27-August 10, $1,100 non-member; $940, members.
  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.
  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian/The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros +VAT delegate/495 euros +VAT one day pass; Discount from July 27 -Sept. 27, 995 euros +VAT delgate/595 euros +VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros+VAT delegate/695 euros+VAT one day pass; On site from Oct. 28-31, 1,295 euros+VAT.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Security

Technewsworld Channels