Google Unable to Prevent Android Malware Intrusion

by Matt Klassen on July 25, 2013

Despite Google’s best efforts to shore up a weakness in Android that allows hackers to infiltrate smartphones via legitimate applications and assume control of the devices, programs are still popping up on Google Play that contain the so-called ‘master key’ vulnerability, leading many to question whether Android security is even possible.

According to security vendors, several applications have been discovered on Google Play that employ the ‘master key’ vulnerabilities, some as recently as last week; the malicious nature of these infected programs being that they’re authentic Android apps—for scheduling medical appointments for instance—but have been subtly modified by hackers to become dangerous mobile Trojans.

While the most recent malware apps were found to be benign—meaning they weren’t actively employing this bug—their very presence raises serious questions about Google’s ability to protect its customers from such a threat.

Although mobile malware is nothing new, particularly in the Android ecosystem, the ‘master key’ bug discovered several weeks ago is particularly dangerous, given that it circumvents traditional lay security measures. To wit, security vendors will always tell mobile users that in order to avoid malicious programs, only download apps from reputable sources…now that may no longer be enough.

As mentioned, this critical vulnerability conceivably opens a gateway for hackers to assume full control of a mobile device. “Inserted into the programs is code that lets an attacker remotely control an Android device and collect data such as phone numbers and the device’s IMEI number. It can also deactivate some…mobile security software programs,” PC World writer Jeremy Kirk explains. “Additionally, the code can command a device to send SMSes to a premium number, a scam where an attacker controls the number and collects the fees charged to the victim.”

While the appearance of this ‘master key’ vulnerability is disconcerting, at present it looks like the apps in question contain this bug by accident. As Webroot Security Intelligence Director Grayson Milbourne explains, “The inclusion of the flaw is likely an oversight by the developers of the apps — but it’s nevertheless disturbing.”

Now that the vulnerability has been identified, the next step is patching the holes in Android to prevent additional apps from becoming infected; of course this is the most difficult step. Estimates put the number of phones potentially affected by this vulnerability to be approximately 900 million, anything running Android 1.6 or higher, and, because of increasing Android fragmentation, its difficult for Google to reach them all.

To patch this vulnerability, “Mobile phone operators must either send a patch out to users, which can be a slow process, or users must apply a patch themselves, which is unlikely for less-sophisticated smartphone users. Some security vendors have issued their own software to fix the vulnerability,” but most will remain exposed to this dangerous Trojan for an unjustifiably long period of time.

In the end, while a fix is available, there’s just no telling how long it will take to diffuse through the entire Android ecosystem. Further, despite the presence of a fix, we are still seeing this master-key vulnerability unintentionally popping up on Google Play, leading to serious questions about Google’s ability, even with a patch, to secure its fragmented and increasing vulnerable Android platform.

Did you like this post ? publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. Follow by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: