Eeek, this -- this -- is why so many enterprises want nothing to do with Android.
Mobile security start-up Bluebox Security says it has discovered a vulnerability in Android’s security model that allows a hacker to turn "any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user."
Amazingly, this vulnerability has been embedded in the Android code since 1.6, or Donut, which was released in September 2009.
"The implications are huge!" writes Bluebox CTO Jeff Forristal. "This vulnerability could affect any Android phone released in the last four years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."
While Bluebox publicized the vulnerability this week, it notified Google back in February. The search giant told its partners and members of the Open Handset Alliance, IDG reports. Samsung already has a patch for its Galaxy S4 smartphone, Forristal tells IDG, while Google and other device manufacturers also are working on fixes.
This latest report underscores the inherent and well-publicized flaws in Android security, problems Google seems content to let manufacturers deal with. Samsung has attempted to fill the void with enterprise security platforms such as SAFE and KNOX, which allow enterprise IT departments to control data access and segregate corporate from personal data on specified devices.
Bluebox says the risk posed by this newly discovered vulnerability is compounded because many applications developed by manufacturers "are granted special elevated privileges within Android – specifically System UID access."
Once a Trojan has full access to the Android system and all installed applications -- including data -- it can wreak real havoc. Writes Forristal:
"The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."
Botnets are no stranger to Android devices. One system discovered early last year and concentrated mainly in China included about 100,000 Android devices, while another uncovered last December was detected on all major U.S. mobile networks.
Bluebox offers the following suggestions for protecting Android devices against what it calls security bug 8219321:
- Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
- IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
Enterprise pros might have another suggestion altogether: Avoid Android.