Android mega flaw fixed but phones remain vulnerable

Handset makers are slow to push fix to users, and fragmentation is not helping in the enterprise

Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company's attention earlier this month, but those fixes appear to be slow in reaching handset owners.

"Samsung and HTC have both shipped some patches for some devices," Adam Ely, co-founder of Bluebox, told CSOonline. Bluebox uncovered the vulnerability that could impact 99 percent of some 900 million Android devices in the world.

"The information from the manufacturers and carriers that's coming in is pretty spotty," Ely said.

Typically, handset makers push fixes to their latest models before addressing problems with older models. "They generally will first fix whatever's most popular in their market, whatever they're trying to push, and work backwards," he said.

"Almost all OEMs don't care about phones that were sold more than a year ago," said Pau Oliva Fora, an Android analyst with viaForensics. "Not even Google has pushed updates to its Nexus phones yet."

Rapid7 Vice President and General Manager for Mobile, Giri Sreenivas, agreed that handset makers aren't being very transparent about how they're tackling the Bluebox vulnerability.

"It's likely that the first devices to see the fix beyond the Nexus devices, which are managed by Google, will be the Google Experience devices from HTC (HTC One) and Samsung [Galaxy S4]," Sreenivas said.

Nexus-branded Android devices are manufactured for Google by several handset makers and are usually the first to get updates and fixes.

Google said it has furnished its Android partners with a patch to address the problem. "Some OEMs are already shipping the fix to their Android devices," Google spokeswoman Gina Scigliano said in an email. "Nexus devices will receive the fix in an upcoming software update."

While the vulnerability which allows digital desperadoes to turn any legitimate application into a malicious Trojan been undetected in Android for four years, it seems to have escaped the notice of the hacker community.

[Also see: Android lock screen bypass highlights mobile risk]

"We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools," Scigliano said.

In addition to the patches it's pushing, Google has also configured its online app store, Google Play, to scan apps distributed through the outlet for the defect, as well as offering a program called Verify Apps to check apps obtained from outside Google Play for the flaw.

Shortly after Bluebox discovered its master key vulnerabililty -- named so because it allows a hacker to modify an application package (APK) without breaking its cryptographic signature -- a similar vulnerability was posted to a Chinese language website.

"Google has patched the second vulnerability posted on the Chinese website, but similar to the master key vulnerability, there is no transparency from the OEMs about how and when to expect these patches to reach end-user devices," said Rapid7's Sreenivas.

"In an interesting twist," he said. "The Cyanogenmod communities are already starting to incorporate the fixes from Google; therefore, we are seeing custom ROMs running on jailbroken devices and offering a level of protection that other devices are not able to offer."

Although one of the co-founder's of Android, Rich Miner, recently discounted the negative impact fragmentation has had on the operating system, Bluebox's Ely said his firm had found that the ecosystem's fractured landscape was definitely contributing to mitigating the serious problem.

"It's a challenge because of fragmentation in the market," Ely said. "Enterprises are having trouble keeping track of what's [been] patched, what hasn't."

Google patched the problem fast, but now the patches have to be tested on the myriad versions of Android out there running on an assortment of handsets, he said.

"That's what makes this difficult," Ely said. "It's the number of places it has to be fixed, which is the result of fragmentation in the market."

While the Bluebox exploit has been treated as an apocalypse waiting to happen by some, others are more sanguine about the discovery. "These issues have been blown out of proportion," said Ken Pickering, development manager for security intelligence at Core Security.

"Yes, you can bypass signature checks, but the Google Play Store is already scanning for this malware," Pickering said. "So, unless you're rooting your phone and sideloading applications, the majority of users should be unaffected by these defects."

"Don't get me wrong, it's a bad bug," he said. "But the actual exploit would be very hard to reproduce on the majority of environments, and it would only affect a minority of users."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags applicationsAndroidData Protection | Wirelesssoftwaredata protectionsamsunghtcGoogleconsumer electronicsRapid7securitysmartphonesmobile security

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John P. Mello

CSO (US)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?