Silk Road forums

Discussion => Security => Topic started by: Jack N Hoff on July 04, 2013, 04:11 am

Title: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: Jack N Hoff on July 04, 2013, 04:11 am
Quote
The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access.

Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.

How it works:

The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013. It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question.

The screenshot below demonstrates that Bluebox Security has been able to modify an Android device manufacturer’s application to the level that we now have access to any (and all) permissions on the device. In this case, we have modified the system-level software information about this device to include the name “Bluebox” in the Baseband Version string (a value normally controlled & configured by the system firmware).

http://bluebox.com/wp-content/uploads/2013/06/exploit.png

How to get more details:

Technical details of the issue, and related tools/material, will be released as part of my Black Hat USA 2013 talk. During the talk, I will review the bug, including how it was found, and how it works. After the talk, we will post a follow-up post to our blog with a link to materials from the talk and you can track this information via @BlueboxSec

Recommendations

    Device owners should be extra cautious in identifying the publisher of the app they want to download.
    Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
    IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: jackofspades on July 04, 2013, 07:39 am
as if i needed another reason to not conduct business via phone
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: GrimWaldo on July 04, 2013, 03:06 pm
Wow, that's some scary shit... especially the BotNet.

I have an Android phone, but I only use it to play "Pissed-Off Ornithos" and talk dirty to my spouse.
No worries here.
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: murderface2012 on July 04, 2013, 09:32 pm

Lesson:
Know what you're downloading!!
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: comsec on July 05, 2013, 02:39 am
This only affects people who install packages OUTSIDE the official Google play store, as they aren't vuln to this signature spoofing. So if you use F-Droid, or random packages from XDA dev site or elsewhere you could be affected.

You don't need a Google account to download play store .apk's/apps. There's a trick you can do with your browser to spoof being a phone and download the .apk's directly from Google, then you don't have to trust their playstore app and can safely use applications you know are protected against this attack. You should also have 'Enable 3rd party installations' disabled and preferably you should have package manager (pm) chmod 000 or otherwise disabled completely.
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: ChemCat on July 05, 2013, 02:46 am
opera mobile emulator is pretty good .....

allows your pc to be seen as a phone....pretty easy set up from the start.

hope this has helped someone  :)

Peace & Hugs,

      ChemCat 

                     O0
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: ChemCat on July 05, 2013, 03:13 am
:o
Title: Re: Uncovering Android Master Key That Makes 99% of Devices Vulnerable
Post by: acroyear on July 06, 2013, 03:54 am
This is a non-issue for 99% of android users I think.  Theoretically it's a cool exploit though