Experts startup Bluebox found in the security model of Android vulnerability that allows an attacker to modify the code APK-file (installation file) and turn into a Trojan any real application, and this change will not be able to notice the user or administrator directory where the application will be Loaded or mobile device itself.
All Android-applications contain cryptographic signatures that allow the system to determine the authenticity of the application being installed. However, this test is performed in a variety of applications in different ways. This is the basis of vulnerability. Using it, an attacker can modify the application without breaking the cryptographic signature.
Depending on the type of application, an attacker could exploit the vulnerability for any purpose – from identity theft to create a mobile botnet and penetration into the corporate enterprise system.
Moreover, an attacker can modify the application installed by the manufacturer of mobile devices, such as Samsung and HTC, which has a special privilege to work with the system processes. Using this feature, an attacker can gain full access to the Android, all applications, user accounts, passwords and gain control over any function, including telephone calls, messages and camera.
vulnerability found in all versions of Android from Android 1.6, code-named Donut, which was released four years ago and, thus, affects about 900 million devices sold to the current day.
vulnerability affects approximately 900 million devices based on Android
As the scale of vulnerability was too broad, experts Bluebox only now decided to inform the public, while Google has received information about this vulnerability back in February 2013 Google’s reaction to this information is not known.
owners of Android-smartphone and tablet recommended attentive to the name of the application developer, which they plan to install, and companies and organizations that use the model of the “bring your own device» (Bring Your Own Device – BYOD), – to update to the latest Android version, as well as to introduce more advanced data protection mechanisms.
Earlier vulnerabilities in Android met repeatedly, but never have they had such a large scale, affecting about 99% of the devices in use. According to Juniper Networks, users could protect themselves from more than half of the malicious applications if you use the latest version of Android.
startup Bluebox was founded in mid-2012, the Company has been developing solutions for information security of mobile devices. While it is not represented. The volume of investments in startups to date amounted to approximately $ 9.5 million among investors – venture fund Andreessen Horowitz, which owns shares in Facebook, Groupon and Twitter, and one of the founders of Sun Microsystems Andreas von Behtolsgeym (Andreas von Bechtolsheim).