×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First Apps Targeting Android Key Vulnerability Found in the Wild

Unknown Lamer posted about 9 months ago | from the about-that-vendor-update-speed-problem dept.

Security 54

wiredmikey writes with this tidbit from Security Week: "Earlier this month, researchers from Bluebox Security uncovered a serious vulnerability in Android that allowed for the modification of apps without affecting the cryptographic signature, making it possible for attackers to turn legitimate apps into Trojans. ... Now, Symantec says it has uncovered the first malicious apps making use of the exploit in the wild. Symantec discovered two mobile applications that were infected by an attacker, which are legitimate applications used to help find and make doctor appointments and distributed on Android marketplaces in China. 'An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,' Symantec explained in a blog post. ... Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

54 comments

In other words ... (5, Insightful)

gstoddart (321705) | about 9 months ago | (#44369401)

Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws.

So, in other words, most people are screwed, because most of the manufacturers pretty much never really do updates.

I think that has to be the biggest limitation of the platform -- it is so fragmented, you could easily end up with a device which is never going to see updates.

Re:In other words ... (2)

Sockatume (732728) | about 9 months ago | (#44369451)

I wouldn't be surprised if Android 5.0 took some measures to decouple important system functions like this from the user experience layer in such a way that Google could roll out important, low level updates while leaving the overall experience in the hands of the carriers.

Of course then Google would be responsible for making sure the update is compatible with every available Android device, rather than the carriers and manufacturers.

Re:In other words ... (2, Informative)

Anonymous Coward | about 9 months ago | (#44369655)

This has already been happening, at Google I/O this year there were loads of announcements of changes and new APIs, but these were all done through app updates, no new os revision was released. So bit by bit they are carefully moving key features out of the base install and into APKs that can be updated through the play store. There are certain features that require an os update to liberate them, but it looks promising.

Re:In other words ... (1)

NatasRevol (731260) | about 9 months ago | (#44369751)

And the carriers will have to agree to it. Since it might break their 'premium add-on' software that was pre-installed.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44369473)

I'm already happy I bought a Google Edition phone then and not having to wait for the damn handset and/or telco assholes to get off their butts to issue a fix.

Re:In other words ... (4, Insightful)

jeffmeden (135043) | about 9 months ago | (#44369681)

I'm already happy I bought a Google Edition phone then and not having to wait for the damn handset and/or telco assholes to get off their butts to issue a fix.

Except... wait for it...

OEMs (Samsung, LG, HTC, etc) have already patched this, and have already gotten code past the carriers. And Google? Every Nexus device STILL HAS THIS HOLE. Fragmentation is not the issue, mobile security is just fucking hard.

Re:In other words ... (1)

CastrTroy (595695) | about 9 months ago | (#44369757)

Really? Because I'm pretty sure that LG doesn't have an update available for my G2X past Android 2.2, because I'm not on T-Mobile, but rather a smaller independent carrier, which they can't be bothered to make an update for. I'm actually using the T-Mobile firmware because I wanted Android 2.3, but I had to jump through a few hoops to get it working. They have fixed it for a few of their current flagship models, but they don't have any interest in updating even slightly older phones. And especially not if you're on a small carrier. The phone was only released in 2011, which means it really isn't that old at all.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44370187)

The phone was only released in 2011, which means it really isn't that old at all.

Just treat your phone like it is still 2011 and you will not be affected by this issue at all. Really, the way that people spend $400-$500 on a device and think that they are entitled to lifetime support for bugfixes AND updates amazes me. Your phone still works just as well as it did when you bought it in 2011. Google, for their part, won't even force you to update the OS to a newer, poorer performing one (due to being designed for new hardware) just to participate in their app store. Please try picking up a 2011 iPhone, get the latest iOS update so that you are allowed to access the app store, and tell me if it performs anything like it did when it was new.

No one can keep a tiny, cheap mobile device working flawlessly with modern apps for more than a year. Google and OEMs tackle this by making phones so cheap that you can just replace them after a year (maybe two) and they focus their effort on developing new phones (since that's what you pay them for.) Apple tackles this by bloating the OS to the point where you won't want to use the thing for more than a year (maybe two). Pick which method you like the best, because expecting a company to develop software specifically optimized for old hardware is not a popular model any more.

Re:In other words ... (3, Insightful)

Rich0 (548339) | about 9 months ago | (#44370357)

Really, the way that people spend $400-$500 on a device and think that they are entitled to lifetime support for bugfixes AND updates amazes me.

Microsoft of all companies set the expectation here. Your $500 laptop from 2000 running XP STILL gets security updates every patch Tuesday. And certainly Android can't hold a candle to Wintel when it comes to fragmentation.

Re:In other words ... (1)

tlhIngan (30335) | about 8 months ago | (#44371171)

Microsoft of all companies set the expectation here. Your $500 laptop from 2000 running XP STILL gets security updates every patch Tuesday. And certainly Android can't hold a candle to Wintel when it comes to fragmentation.

Actually, fragmentation on Wintel's a lot less than on ARM. The basic PC architecture is still the same as it was back in 1981 - you have memory at 0, BIOS starts 1MB in, video is somewhere between 640k-1MB, etc.

And when Windows came around, fragmentation decreased further still - there's only three video graphics providers - Intel (the largest by far), NVidia and AMD. For CPUs, there's two big ones and smaller ones (Intel, AMD, Via and others).

Think of it this way... A company like Apple, Lenovo, Dell, Acer, Asus, etc., produce the hardware. The OS is completely produced by someone else - Apple, Microsoft, Canonical (Linux), RedHat, etc.. The OS vendors sell a product that runs on a PC produced by a third party.

But on a smartphone, the vendor produces the OS as well as the hardware. So Samsung, LG, HTC, Apple, produce hardware and then they take what they have (either internally or what Google provides as a base) and then adapt it for the platform - adding their own stuff to the code, modifying the code so it works on the hardware, etc. Then doing a final build that gets shipped out. Google mandates a minimum level of compatibility, but that's it. In effect, the OS is completely customized per device and you cannot use a Gnex Android image on a Galaxy S4.

It's gotten so bad that Linus has spoken up about how crummy the ARM branch of Linux is because of the way it ends up being and he wants one Linux kernel to rule them all. Unfortunately, that's unlikely to happen due to individual SoC differences (where RAM is, where a serial port is, where ROM is, where other peripherals are). Though it's getting there with Device Tree and having vendor specific kernels able to boot up multiple vendor SoCs. (RAM is a tricky one because kernel startup requires running from it, until the MMU is turned on and the memory map is homogenized).

Re:In other words ... (1)

Rich0 (548339) | about 9 months ago | (#44376981)

Good points. There is still quite a bit of variety on Wintel though - ACPI seems like a mess, and there are lots of other support chips that need variations of behavior on motherboards.

But you're right, in the end the boot loaders all have the same defined interface, with the CPU in a relatively similar state, and the same basic architecture across the board. Until EFI came along the modern PC would probably boot DOS 2.1 just fine.

Re:In other words ... (0)

Anonymous Coward | about 8 months ago | (#44373583)

So are you prepared to drop $400-500 on a new phone every few months, each time a security hole is found in your current phone?

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44370487)

Tell me, is your Play Store using the "card version" (where it has the major categories in green/red/blue/purple buttons at the top when you launch it)?

If so, you're probably already fixed. Individual built-in applications are updated independently of system updates.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44369491)

I agree 100%. As an android user, the most frustrating part is sitting on a outdated, vulnerable version of the OS, with no future updates to my device in sight.

Re:In other words ... (4, Informative)

HycoWhit (833923) | about 9 months ago | (#44369493)

There are two apps you need to know about: ReKey from DUO security and Northeastern University. ReKey will fix the MasterKey problem if you do not want to wait for a patch from your carrier. (http://www.rekey.io/) [rekey.io]

The other app is from Bluebox Security and is called Bluebox Security Scanner. The Scanner app will simply tell you if your phone has the Master Key vulnerability. Bluebox Security Scanner [google.com]

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44369563)

"This app cannot be installed in your device's country"
Awesome...

Re:In other words ... (4, Insightful)

CastrTroy (595695) | about 9 months ago | (#44369521)

This is one reason where I think that Apple really has it right. Ensuring that users can easily get software updates for the entire phone ensures that they have a good user experience (for the most part, eg. Apple maps). But Android is such a mess in this respect. Google seems to get this with the nexus line of phones, but the other vendors seem to do a pretty bad job. And even if they release an update, it can sometimes be blocked by the network owner, or the update won't be for the network you happen to be with. It's like if you bought a Dell computer and when Windows came out with a new OS, you could only get the new version if Dell allowed it.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44369763)

Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws.

What pisses me off is that I have a Motorola DroidX running on Verizon's network, and haven't seen (despite looking every few weeks)
an Android update for it in well over a year, and now this revelation. Considering that Google swallowed Motorola, it is now "The Handset
Manufacturer", at least in my eyes...

I bought the DroidX and into Android because it's Linux-based; I used to be very active in the Linux community, but what Google's done with
it is well beyond polite description. (Well, "desecration" might be an apt start).

I'm now waiting for the next Apple iPhone (5S? 6? whatever they decide to call it...) with bated breath, and will not be downloading any new
apps nor any updates to Google-written apps. I've backed up all my phone data (to my iMac) Just In Case.

Re:In other words ... (1)

Anonymous Coward | about 9 months ago | (#44369961)

I bought the DroidX and into Android because it's Linux-based

I'm sorry but I never understood this. There is zero reason to consider the kernel of an OS unless you plan on doing some real mods to your OS. I hear it so often from wannabes that Android is magically better and more powerful because it's open source. This is false. I've even bothered to talk to a couple of them about open source and many of them never seem to understand what it takes to mod their phone, write code or even have their phones rooted. They bought into marketing babble about the OS the same way that people buy into other marketing claims that they don't understand.

Re:In other words ... (1)

denbesten (63853) | about 9 months ago | (#44369841)

One of the downsides of open-source and free-software (or whatever you want to call it) is the ability to fork the codebase, which causes maintenance problems, such as this. The other edge to this sword is that as your hardware ages Apple will not support it and nobody can fix it themselves, resulting in an entirely different set of maintenance problems.

Re:In other words ... (1)

CastrTroy (595695) | about 9 months ago | (#44370003)

In theory you are correct, but in practice, it seems to work exactly the opposite, at least in terms of cell phones. You can still get IOS 6 even if you only have the iPhone 3GS. Good luck finding an Android phone from 2009 that has an official update to the latest version of Android. Sure they're dropping support in IOS 7, but if the phone got you that far, you've got your money's worth. Even with Android itself being open source, the drivers that interface with different components of the phone like the wireless radio seem to be closed source, which means that it's exceedingly difficult to put a new version of Android on an old phone.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44370243)

It's like if you bought a Dell computer and when Windows came out with a new OS, you could only get the new version if Dell allowed it.

I don't know how it is now, but Dell computers used to throw a fit if you tried installing non-Dell-blessed hardware. So I could easily see them trying to disallow you upgrading the OS yourself.

Re:In other words ... (0)

Anonymous Coward | about 8 months ago | (#44371461)

I think it's quite normal for OEMs that they don't let you tinker with the hardware too much.

But not letting you update Windows? Not happening.

Re:In other words ... (1)

knarf (34928) | about 8 months ago | (#44375369)

While it would be nice if Android updates were available to all who wanted them regardless of which phone they happened to be using, I'll gladly take the current situation over any 'benevolent dictator' type of forced software distribution. For those who like their 'experience' to be managed by a commercial entity there is Apple. For those who prefer to do things their own way, Android is so far ahead of the closed Apple world that they might as well be from another planet.

The comparison with the Dell running Windows fails since the user is free to install Linux on said Dell without voiding the warranty or breaking one of those silly DMCA-type laws. Try that on an iProduct...

Re:In other words ... (1)

BrokenHalo (565198) | about 9 months ago | (#44369569)

Google's claim seems a bit questionable to me in any case. My Samsung Galaxy Nexus (which I rooted and flashed to stock Android 4.2 a while back, and is currently running 4.2.2) hasn't picked up any very recent updates.

My understanding is that the Nexus devices without OEM builds of the OS should enter the pipeline for updates directly from Google, and my phone reports having checked for updates within the last 6 hours. In my case, I don't have any binaries downloaded from non-Google sources (other than a couple of things I'm working on myself from time to time), so I'm not really worried, but even so...

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44369645)

I see we have an Apple shill here.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44369919)

Also known as a frustrated Android user.

Re:In other words ... (1)

BrokenHalo (565198) | about 9 months ago | (#44376879)

I see we have an Apple shill here.

WTF? Go back and read my post again, you fool. Or try enrolling in an English comprehension course.

Re:In other words ... (1)

RobbieCrash (834439) | about 9 months ago | (#44370025)

Patched code in AOSP, not patched binaries for devices. Your GNex does not get every update contributed to the AOSP source, it needs to be compiled and sent to your phone.

Currently, the GS4, HTCOne and anything running a CM based ROM has been patched for sure; I'm not aware of what the status on anything else is because I don't care.

Re:In other words ... (0)

Anonymous Coward | about 9 months ago | (#44370401)

Individual applications can and are updated by Google on a regular basis.

Seeing that this "master key" thing is a Play Store issue (and last I read, some enterprising non-Google people wrote an application released to the Play Store to fix said vulnerability), this problem has already been patched on all devices that use Google Play.

I mean, my stock, unrooted, factory-resetted-a-month-ago Nexus One (which no longer gets major system updates due to internal storage constraints) has the most up-to-date Play Store.

Re:In other words ... (1)

DrXym (126579) | about 8 months ago | (#44370651)

So, in other words, most people are screwed, because most of the manufacturers pretty much never really do updates.

"Most people" get their apps from Google Play store where presumably apps that use the exploit can be screened and killed on sight. So the vast majority of people are perfectly safe by default and moreso when firmware updates explicitly address the exploit in the installer.

It's only those idiots who get apps from warez sites who are risk and frankly what difference does it make in that situation? Anyway the exploit itself is easy to detect (the apk has 2 or more files that point to the same path) so it would be simple enough to obtain an app from a trusted source that scans an apk to see if it was affected or not before installing it. That would be a sensible precaution at the best of times.

The First ... (0)

Anonymous Coward | about 9 months ago | (#44369417)

The first but not the last apps or even vulnerabilities that will be exploited. This is a fact of life in computing devices so be careful out there!

Be careful of the origin of your software. (2)

CastrTroy (595695) | about 9 months ago | (#44369477)

distributed on Android marketplaces in China

That says it all right there. Be careful about the sources of your software. If you're installing software from shady sources or vendors, you probably don't care that the signature matches one of a legitimate program or not.

Re:Be careful of the origin of your software. (2)

gnasher719 (869701) | about 9 months ago | (#44369509)

That says it all right there. Be careful about the sources of your software. If you're installing software from shady sources or vendors, you probably don't care that the signature matches one of a legitimate program or not.

This is not about apps, it is about updates. Any hacker can create perfectly signed malware - "signed by evil@hacker.com", so at that point you'd have to check where your app comes from. But updates are supposed to be signed by the some entity that signed the original app, so evil@hacker.com can update apps signed by evil@hacker.com, but not apps signed by anyone else. And that's what this vulnerability does: It allows hackers to update legitimate apps with malware by taking a legitimate, signed update and adding their malware to it.

Re:Be careful of the origin of your software. (1)

CastrTroy (595695) | about 9 months ago | (#44369617)

Even so, app updates come from the app store they are downloaded from. In order to get an update into the app store they need access to the account of the developer/organization that originally created the app. And if the attacker has access to the account, you're pretty much screwed anyway. You can't just upload a fake signed app under a completely different account and have it show up as an update to a legitimate app from another developer.

Re:Be careful of the origin of your software. (2)

Yebyen (59663) | about 9 months ago | (#44369701)

Isn't the point of this vulnerability that someone who has a public wireless AP that you're using or other MITM vector (such as NSA) can update your apps and give you bad code as if it came from the real market / real app developer, and bypass the signature protections?

It would be some hella trick to prevent the original app dev from then overwriting their bad code with a fresh copy of the latest version, but then it was getting on the phone in the first place that was supposed to be difficult... I think it would be trivial to know what app your target uses, know that an update is coming down the pipe, intercept it, and push out your own malicious update in its place, as long as they stay on your network.

Would someone with more knowledge tell us? Is the connection to the market protected by SSL in a way that would stop this for non market users? Would gaining access to the developer account really be a part of this exploit? (If Google patches their server to not accept the compromised keys, does that stop the bad updates at the source?)

This seems like it could be a really neat problem to explore in more depth. Not for black-hat purposes of course, just educational.

Re:Be careful of the origin of your software. (1)

CastrTroy (595695) | about 9 months ago | (#44370049)

They could also sneak into your house in the middle of the night, gas you, and hook your phone up to a computer and install all kinds of crazy software on your phone. Ok, maybe not something quite so crazy, but it's probably much easier for somebody to get physical access to your phone than it is for them to pull off some MITM attack.

Re:Be careful of the origin of your software. (2)

Yebyen (59663) | about 8 months ago | (#44371239)

I'm reading every month about some new vulnerability that enables hackers to get your WPA keys in cleartext with some kind of rainbow tables or government/corporate database, spoof your AP, and convince your phone to join their internets (boom, MITM executed.) I think it would be a lot easier to drive by a few times a week to case the joint and prepare to get the hack ready, then just push out some bogus updates to root your phone after a few successful network privilege escalations, now they have all your saved passwords and are transmitting your GPS coordinates back to base, over the air, 24/7.

That is much easier than to "sneak into your house, gas you, and erase your memory Lacuna Inc. style" -- we're talking about real attacks that can compromise your data without your knowledge.

NSA news demonstrates that advanced persistent threats are real and they need not be discovered or be public to be effective at compromising "security systems." I appreciate what you're saying, "your data just is not that interesting" but if your target was PirateAt40 or Edward Snowden, you'd take the cheap, safe option, and not the option that involves potentially being caught breaking and entering with chloroform, a heavy wrench, and other "sophisticated hacking equipment." That is assuming you weren't just going for the full-blown Colombian Necktie.

Really a problem? (1)

Anonymous Coward | about 9 months ago | (#44369527)

> and distributed on Android marketplaces in China

How many people do you know that love downloading software from Android marketplaces in China?

Re:Really a problem? (0)

Anonymous Coward | about 8 months ago | (#44371751)

Me personally? None. But there are probably a fair number of Chinese Android users who do.

Android marketplaces in China (1)

sl4shd0rk (755837) | about 9 months ago | (#44369609)

Sounds like a great place to get some high quality apps.

Re:Android marketplaces in China (2)

Yebyen (59663) | about 9 months ago | (#44369739)

For people in China, it probably was, until this news!

There are two separate keys that were compromised, if I understand the output of the scanner correctly. KatKiss ROM for Transformer TF-101 has been patched for both since Version 220 or 221. I haven't tried V223b yet because it purports to change a bunch of defaults for performance reasons that I don't want to have to change back again every time I re-flash (but it's out).

Incidentally the source is not available at this time! EOS4 git repos went down when the TeamEOS broke up, I don't know for sure but http://git.teameos.org/ [teameos.org] is a cgit with at least web reader access to help tell which repos have changes from AOSP, but they are not available for cloning. Bummer.

I am sure timduru could use some help from anyone with the source, or with a lot of patience to read the individual repo commit ids from EOS4 cgit while it's still up, and check AOSP to see if they are present somewhere in history or divergent. (I've talked to him. It's a big job. I'm sure he could use the help, just not sure how to provide it best.)

I get my OS from these guys. But yeah, I would not be downloading apps from android marketplaces in China.

Re:Android marketplaces in China (2)

tlhIngan (30335) | about 8 months ago | (#44370949)

For people in China, it probably was, until this news!

Problem is, the Play Store is not available in China. In fact, it's not available in a lot of places.

And even in the US there are many legitimate reasons WHY you'd want to "allow non-marketplace apps" to be checked. Say, the Amazon App Store. Or Humble Bundle for Android. Or many legitimate sellers of Android apps who refuse to use the Play Store.

The problem with Android is it's an "all or none" proposition - you can choose the safety of the Play Store, or you can have it all. You can't choose the safety of the Play Store and other stores you trust (though there is legitimate reason why it's not necessarily a good idea).

The legitimate reason? It doesn't really protect anything - thanks to the dancing pigs (or rabbits) [wikipedia.org] issue, even if you made it so a user could "approve" a store, guess what? They'll approve illegitimate ones because they want the app.

Re:Android marketplaces in China (1)

Yebyen (59663) | about 8 months ago | (#44371271)

One of the keys that was compromised was a Chinese key. BlueBox Scanner told me that my device was vulnerable to that key until just 1 week ago, when KatKiss patched the second bug. Presumably these roms are equipped to allow some Chinese authority alternatively to Google Play store. I didn't read the advisory, but BlueBox tells me I'm protected now (from a whole 2 security advisories. Don't I just feel safer already?)

Really simple (1)

slashmydots (2189826) | about 9 months ago | (#44369999)

This is really simple. Don't use other app stores than Google Play. Every problem I've ever heard of with viruses and bad apps can be solved by not being that stupid.

Re:Really simple (0)

Anonymous Coward | about 8 months ago | (#44370671)

Stay inside that "walled garden" then, is that what you are saying?

Re:Really simple (0)

Anonymous Coward | about 8 months ago | (#44371825)

Or use another app store that you trust. Don't install "100% free version of popular application!" from random source that you don't know.

It's not rocket science, and this whole thing is *way* overblown.

symantec!? (1)

beefoot (2250164) | about 9 months ago | (#44370071)

I can only hope no one is going to install symantec antivirus on their phone because we know what it did to our computer.

Main Reason I went iPhone... (1)

macromorgan (2020426) | about 9 months ago | (#44370143)

This is really the main reason I'm still on an iPhone, despite being a mostly Linux fanboy. Apple is able to push software updates without having to deal with carriers' machinations, while Android requires both the manufacturer and carrier to be on board*. Apple has also supported the devices I owned for a minimum of 2 years from their launch. *(I'm aware of Nexus devices, however due to some licensing issues there are no Nexus Verizon phones, and Verizon as a carrier is a requirement).

ARM is the issue (0)

Anonymous Coward | about 8 months ago | (#44371745)

encrypted boot loader + GPIOs = messy!

It works for Apple because they only support a handful of devices. Android is the Windows of mobile computing. It needs something like BIOS to be able to roll out updates to the countless number of varios devices.

use the exploit to fix it? (1)

xrmb (2854715) | about 8 months ago | (#44374111)

Well, I hope this exploit can be used to give me root, so I can (A) fix it, (B) enjoy being root...
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...