Android mega flaw fixed but phones remain vulnerable

Handset makers are slow to push fix to users, and fragmentation is not helping in the enterprise

Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company's attention earlier this month, but those fixes appear to be slow in reaching handset owners.

"Samsung and HTC have both shipped some patches for some devices," Adam Ely, co-founder of Bluebox, told CSOonline. Bluebox uncovered the vulnerability that could impact 99 percent of some 900 million Android devices in the world.

"The information from the manufacturers and carriers that's coming in is pretty spotty," Ely said.

Typically, handset makers push fixes to their latest models before addressing problems with older models. "They generally will first fix whatever's most popular in their market, whatever they're trying to push, and work backwards," he said.

"Almost all OEMs don't care about phones that were sold more than a year ago," said Pau Oliva Fora, an Android analyst with viaForensics. "Not even Google has pushed updates to its Nexus phones yet."

Rapid7 Vice President and General Manager for Mobile, Giri Sreenivas, agreed that handset makers aren't being very transparent about how they're tackling the Bluebox vulnerability.

"It's likely that the first devices to see the fix beyond the Nexus devices, which are managed by Google, will be the Google Experience devices from HTC (HTC One) and Samsung [Galaxy S4]," Sreenivas said.

Nexus-branded Android devices are manufactured for Google by several handset makers and are usually the first to get updates and fixes.

Google said it has furnished its Android partners with a patch to address the problem. "Some OEMs are already shipping the fix to their Android devices," Google spokeswoman Gina Scigliano said in an email. "Nexus devices will receive the fix in an upcoming software update."

While the vulnerability which allows digital desperadoes to turn any legitimate application into a malicious Trojan been undetected in Android for four years, it seems to have escaped the notice of the hacker community.

[Also see: Android lock screen bypass highlights mobile risk]

"We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools," Scigliano said.

In addition to the patches it's pushing, Google has also configured its online app store, Google Play, to scan apps distributed through the outlet for the defect, as well as offering a program called Verify Apps to check apps obtained from outside Google Play for the flaw.

Shortly after Bluebox discovered its master key vulnerabililty -- named so because it allows a hacker to modify an application package (APK) without breaking its cryptographic signature -- a similar vulnerability was posted to a Chinese language website.

"Google has patched the second vulnerability posted on the Chinese website, but similar to the master key vulnerability, there is no transparency from the OEMs about how and when to expect these patches to reach end-user devices," said Rapid7's Sreenivas.

"In an interesting twist," he said. "The Cyanogenmod communities are already starting to incorporate the fixes from Google; therefore, we are seeing custom ROMs running on jailbroken devices and offering a level of protection that other devices are not able to offer."

Although one of the co-founder's of Android, Rich Miner, recently discounted the negative impact fragmentation has had on the operating system, Bluebox's Ely said his firm had found that the ecosystem's fractured landscape was definitely contributing to mitigating the serious problem.

"It's a challenge because of fragmentation in the market," Ely said. "Enterprises are having trouble keeping track of what's [been] patched, what hasn't."

Google patched the problem fast, but now the patches have to be tested on the myriad versions of Android out there running on an assortment of handsets, he said.

"That's what makes this difficult," Ely said. "It's the number of places it has to be fixed, which is the result of fragmentation in the market."

While the Bluebox exploit has been treated as an apocalypse waiting to happen by some, others are more sanguine about the discovery. "These issues have been blown out of proportion," said Ken Pickering, development manager for security intelligence at Core Security.

"Yes, you can bypass signature checks, but the Google Play Store is already scanning for this malware," Pickering said. "So, unless you're rooting your phone and sideloading applications, the majority of users should be unaffected by these defects."

"Don't get me wrong, it's a bad bug," he said. "But the actual exploit would be very hard to reproduce on the majority of environments, and it would only affect a minority of users."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags smartphonesmobile securityGoogleAndroidhtcsoftwaredata protectionapplicationssamsungconsumer electronicsData Protection | WirelessRapid7

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John P. Mello

CSO (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?