Android Exploit Leaves Users Vulnerable
According to a post on Computerworld, there’s a long-unnoticed exploit lingering in the Android mobile operating system—one that leaves users extremely vulnerable to insidious programs and the people who make them. Apparently there’s a flaw in the OS’s security protocols that allows hackers to insert malicious code into otherwise innocuous applications without breaking the app’s security.
The discovery was made by Bluebox Security out of San Francisco. The situation is outlined on the company’s blog, saying the exploit “allows a hacker to modify APK [the file extension for Android apps] code without breaking the application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.”
The post continues:
“The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years—or nearly 900 million devices—and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”
The Computerworld post notes that despite the flaw having gone largely unnoticed over the last four years, Samsung’s Galaxy S4 phone has a fix already installed, which will hopefully point the way to more handset manufacturers sending out firmware updates to close the security loophole. It’s also important to point out that, according to the post, Google’s Play store also has safeguards against hosting and distributing affected apps. If true, that means that you can only download malicious programs from third-party websites.
Unfortunately, one of the Android platform’s big selling points is the ability to install programs from third-party sites and to customize the OS itself. I’ve used phones that have been rooted and altered to function differently from the way they’re sold in stores, and doing so offers the opportunity to enjoy a much more interesting and rich mobile computing experience.
This news only confirms the fears one might have about straying away from Google’s app store. It’s a shame that the exploit has been around for so long, essentially making any apps found from a third party source suspect and discouraging users to experiment. Hopefully future versions of Android will come along that address this problem. In the meantime, I’m going to stick with Google’s Play Store until I hear differently.