The vulnerability could allow data theft or the hijacking of a handset, it affects almost all Android devices, and it’s up to the manufacturer to push out a fix.
You may have seen reports out there about a serious flaw affecting almost all Android handsets. But, assuming you’re packing one of said devices, how worried should you be?
If you’re in a hurry, here’s the short answer: quite worried, especially if you have an older Android phone. If you have time for the explanation, here it is.
Who announced this flaw?
That would be Bluebox Security, a new mobile security startup that’s supposedly in stealth mode.
This isn’t just a publicity stunt, is it?
Probably not. Bluebox’s CTO is a chap called Jeff Forristal, who’s been involved the security scene for a decade or so. And this does appear to be a serious vulnerability – it affects any Android phone released in the last 4 years, which is around 99 percent of them.
So what does this vulnerability allow?
The flaw lies in the way Android app packages – APK files – are verified as secure. It allows the code of these files to be altered in secret. If the app in question comes from the device manufacturer or a trusted partner, it will probably come with privileged access to the device. This raises the possibility of “Trojan” apps that can gain full access to the Android system and to other apps.
This means such Trojans could steal information or take over aspects of the device, or even make the handset part of a wider botnet without the user knowing about it.
Sounds bad. What’s being done about it?
In line with good security research procedures, Bluebox quietly disclosed the flaw to Google back in February. It’s listed as Android security bug 8219321. So Google, which is not openly commenting on Bluebox’s public disclosure, has had at least 4 months to get the word out to Android device manufacturers, who are the ones that are now expected to release firmware updates to fix the vulnerability.
Bluebox will also release proofs-of-concept of its exploit, for each device vendor, at the upcoming Blackhat USA 2013 security conference. According to Computerworld, Samsung’s flagship Galaxy S4 has already been patched, so it is likely that manufacturers have quietly sprung into action.
Phew. So why the worry about older phones?
One of Android’s traditional problems is that many older devices don’t see updates anymore – the evolution of the operating system and the underlying hardware since the Froyo or Gingerbread versions, for example, has been so great that the manufacturers would rather you just buy a newer device.
This situation is changing – the evolution of phone processors is likely to hit a plateau after the leap to quad-core, and the next version of Android, Key Lime Pie, will reportedly cater for low-spec phones, so that older and cheaper devices are covered. However, it’s still down to the manufacturer to make sure the devices it sold 2 or 3 years back get patched.
Anything the user can do in the meantime?
The usual, really – be careful of where you download your apps from. Although Bluebox’s post suggests even the Play Store can be fooled by exploits of this flaw, it’s possible that Google’s beady eye is more observant than those who run third-party app stores. It may or may not be coincidental that Google banned Play Store apps from updating outside the Play Store update mechanisms a couple of months after Bluebox told it about the vulnerability.