Another security warning for Android powered devices

[dgstorm]

News is quickly spreading across the Internet of another potential security threat to Android devices.

The BBC covered it by saying:

"A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system released since 2009.

Google said it currently had no comment to make on BlueBox's discovery."

The Huffington Post, went on to report that...

"The method demonstrated by Bluebox would let app developers modify an update to a legitimate app to look like a system file, which can then be used to take control of a phone. With the right signature disguising its real motives, the update could log passwords, credit card information, photos, emails - essentially anything on your mobile device.

"The implications are huge," Bluebox explains on its website.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

Meanwhile, Ars Technica have also covered the story...

While it would be devastating if an attacker was able to get such a modified APK into the Google Play Store, or somehow use the technique to hijack the update mechanism of legitimate apps, there are probably safeguards already in place to prevent such attacks.

"I imagine that Google would move quickly to add some logic to look for such attacks," Dan Wallach, a professor specializing in Android security in the computer science department of Rice University, told Ars. "Without that available to an attacker, this is likely to only be relevant for Android users who use third-party app stores (which have lots of other problems). This bug could also be valuable for users trying to 'root' their phones."

Blue box researchers privately reported the vulnerability to Google in February.

So, while this would appear to have the potential to be a problem, there is a lot of difference between "potential" and "actual".

What is your take on this latest security story?

As originally posted by janner43 @TransformerForums.com.

 

[bweN diorD]

i posted about this last thursday http://www.droidforums.net/forum/dr...-depot/247978-android-master-key-exploit.html

 

[mardoon]

Anyone seen this?
Uncovering Android Master Key That Makes 99% of Devices Vulnerable » Bluebox Security

you beat me to it

 

[hammerhead13]

Is there a Fix for it!

 

[1coopgt]

Is there a Fix for it!

The real question is , What is Google saying and what are they going to do about it ?

 

[xtor]

Oh great. Something else to worry about.

sent from a note yee

 

[wardo]

My mother in law runs some credit union's and their security personnel instructed everyone to delete the flashlight app.
She is tech savvy when it comes to typewriters, so I just laughed at the info.
I honestly haven't read up on any threats, but this stuff sounds real.
Wtf?

 

[Miller6386]

I wouldn't worry to much about this.. This is kind of a perfect storm scenario. All the planets would have to be perfectly aligned for something like that to take place. Plus in order for any real damage to be done before it was caught it would have to hit on one of the big apps... Someone in the community would catch it before it spread to far. Another case of a news organization reporting on something to raise controversy and get "hits" to their site. Could it happen......? Yes but again to many things would have to be missed before it became a real threat.

Suggested from Beer Tent Capital of the World.