Android Mega Flaw Fixed But Phones Remain Vulnerable
Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company's attention earlier this month, but those fixes appear to be slow in reaching handset owners.
Tue, July 16, 2013
CSO — Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company's attention earlier this month, but those fixes appear to be slow in reaching handset owners.
"Samsung and HTC have both shipped some patches for some devices," Adam Ely, co-founder of Bluebox, told CSOonline. Bluebox uncovered the vulnerability that could impact 99 percent of some 900 million Android devices in the world.
"The information from the manufacturers and carriers that's coming in is pretty spotty," Ely said.
Typically, handset makers push fixes to their latest models before addressing problems with older models. "They generally will first fix whatever's most popular in their market, whatever they're trying to push, and work backwards," he said.
"Almost all OEMs don't care about phones that were sold more than a year ago," said Pau Oliva Fora, an Android analyst with viaForensics. "Not even Google has pushed updates to its Nexus phones yet."
Rapid7 Vice President and General Manager for Mobile, Giri Sreenivas, agreed that handset makers aren't being very transparent about how they're tackling the Bluebox vulnerability.
"It's likely that the first devices to see the fix beyond the Nexus devices, which are managed by Google, will be the Google Experience devices from HTC (HTC One) and Samsung [Galaxy S4]," Sreenivas said.
Nexus-branded Android devices are manufactured for Google by several handset makers and are usually the first to get updates and fixes.
Google said it has furnished its Android partners with a patch to address the problem. "Some OEMs are already shipping the fix to their Android devices," Google spokeswoman Gina Scigliano said in an email. "Nexus devices will receive the fix in an upcoming software update."
While the vulnerability which allows digital desperadoes to turn any legitimate application into a malicious Trojan been undetected in Android for four years, it seems to have escaped the notice of the hacker community.
"We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools," Scigliano said.
In addition to the patches it's pushing, Google has also configured its online app store, Google Play, to scan apps distributed through the outlet for the defect, as well as offering a program called Verify Apps to check apps obtained from outside Google Play for the flaw.
Shortly after Bluebox discovered its master key vulnerabililty -- named so because it allows a hacker to modify an application package (APK) without breaking its cryptographic signature -- a similar vulnerability was posted to a Chinese language website.