Android mega flaw fixed but phones remain vulnerable

Handset makers are slow to push fix to users, and fragmentation is not helping in the enterprise

Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company's attention earlier this month, but those fixes appear to be slow in reaching handset owners.

"Samsung and HTC have both shipped some patches for some devices," Adam Ely, co-founder of Bluebox, told CSOonline. Bluebox uncovered the vulnerability that could impact 99 percent of some 900 million Android devices in the world.

"The information from the manufacturers and carriers that's coming in is pretty spotty," Ely said.

Typically, handset makers push fixes to their latest models before addressing problems with older models. "They generally will first fix whatever's most popular in their market, whatever they're trying to push, and work backwards," he said.

"Almost all OEMs don't care about phones that were sold more than a year ago," said Pau Oliva Fora, an Android analyst with viaForensics. "Not even Google has pushed updates to its Nexus phones yet."

Rapid7 Vice President and General Manager for Mobile, Giri Sreenivas, agreed that handset makers aren't being very transparent about how they're tackling the Bluebox vulnerability.

"It's likely that the first devices to see the fix beyond the Nexus devices, which are managed by Google, will be the Google Experience devices from HTC (HTC One) and Samsung [Galaxy S4]," Sreenivas said.

Nexus-branded Android devices are manufactured for Google by several handset makers and are usually the first to get updates and fixes.

Google said it has furnished its Android partners with a patch to address the problem. "Some OEMs are already shipping the fix to their Android devices," Google spokeswoman Gina Scigliano said in an email. "Nexus devices will receive the fix in an upcoming software update."

While the vulnerability which allows digital desperadoes to turn any legitimate application into a malicious Trojan been undetected in Android for four years, it seems to have escaped the notice of the hacker community.

[Also see: Android lock screen bypass highlights mobile risk]

"We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools," Scigliano said.

In addition to the patches it's pushing, Google has also configured its online app store, Google Play, to scan apps distributed through the outlet for the defect, as well as offering a program called Verify Apps to check apps obtained from outside Google Play for the flaw.

Shortly after Bluebox discovered its master key vulnerabililty -- named so because it allows a hacker to modify an application package (APK) without breaking its cryptographic signature -- a similar vulnerability was posted to a Chinese language website.

"Google has patched the second vulnerability posted on the Chinese website, but similar to the master key vulnerability, there is no transparency from the OEMs about how and when to expect these patches to reach end-user devices," said Rapid7's Sreenivas.

"In an interesting twist," he said. "The Cyanogenmod communities are already starting to incorporate the fixes from Google; therefore, we are seeing custom ROMs running on jailbroken devices and offering a level of protection that other devices are not able to offer."

Although one of the co-founder's of Android, Rich Miner, recently discounted the negative impact fragmentation has had on the operating system, Bluebox's Ely said his firm had found that the ecosystem's fractured landscape was definitely contributing to mitigating the serious problem.

"It's a challenge because of fragmentation in the market," Ely said. "Enterprises are having trouble keeping track of what's [been] patched, what hasn't."

Google patched the problem fast, but now the patches have to be tested on the myriad versions of Android out there running on an assortment of handsets, he said.

"That's what makes this difficult," Ely said. "It's the number of places it has to be fixed, which is the result of fragmentation in the market."

While the Bluebox exploit has been treated as an apocalypse waiting to happen by some, others are more sanguine about the discovery. "These issues have been blown out of proportion," said Ken Pickering, development manager for security intelligence at Core Security.

"Yes, you can bypass signature checks, but the Google Play Store is already scanning for this malware," Pickering said. "So, unless you're rooting your phone and sideloading applications, the majority of users should be unaffected by these defects."

"Don't get me wrong, it's a bad bug," he said. "But the actual exploit would be very hard to reproduce on the majority of environments, and it would only affect a minority of users."

Read more about wireless/mobile security in CSOonline's Wireless/Mobile Security section.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags applicationsAndroidsoftwareData Protection | Wirelessdata protectionsamsungconsumer electronicsGooglehtcsecurityRapid7mobile securitysmartphones

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

John P. Mello

CSO (US)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?