GET THE APP:  CURRENTLY HOT:   Android Fire TV Fire TV Forums HTC One M8 Moto 360

“New” security hole affects 99 percent of Android users

malware

A newly discovered security hole could affect as much as 99 percent of the Android userbase. According to security researchers at Bluebox Labs, a bug that has existed since Android 1.6 allows for third-party sources to modify an application without breaking its cryptographic signature. Translated, this means a hacker could theoretically push malware to a device in the form of an update to an app legitimately installed on a handset.

There would still be a few hurdles to clear to make this a reality, such as devising a means to deliver the update to a user’s handset. It would not be possible through the Google Play Store, but could possibly be achieved through a third-party app store or bogus website. If a hacker could trick users into installing the disguised malware, they would have free reign to deploy any number of existing or new Android trojans.

Bluebox has already alerted Google, but it seems there is little being done. The Android maker is leaving it to device manufacturers to address the issue, which is apparently the case with Samsung. Word is they have patched the issue with the Galaxy S4. Google’s Nexus 4, on the other hand, remains vulnerable.

[via The Verge]




  • Matt Laney

    That’s why I switched to iOS…. To get my holes filled in a timely manner.

    • Jroc869, Nexus-Life

      clever pun?

      • scoter man1

        More like not so clever pun, lol.

    • Dan

      Makes sense. Why use your brain when Apple can do it for you.

    • Cesar Ortiz

      This level of genius is admirable…*facepalm

    • timmyjoe42

      Haha, you like to get your hole filled.

    • Scott Stafford

      Good riddance, you’ll fit in nicely among your new peers.

    • rabidhunter

      There’s exploits for iOS just the same. If it can be jailbroken, it can be exploited. Don’t get yourself into a false sense of security. I remember a hack off challenge between a Mac, a PC running Windows 7, and Linux. The hacker was able to crack the Mac the easiest and the fastest. Linux took the longest to crack.

    • yankeesusa

      Really? Thats why you chose to go with ios? It wasn’t cause it had better features or ran smoother? Good for you. Have fun with your 1-2 years behind os that sues everyone for copying them but when they copy everyone else they say it was their design in the first place.

    • OCSportsGeek

      Well! Hope that’s working out for you *obligatorythat’swhatshesaid*

    • Matt Laney

      You guys must be slow. If you can’t see the humor in my comment, you should not be allowed on the Internet. http://m.quickmeme.com/meme/3v2v4u/

      • Unorthodox

        Hey, remember that South Park episode about Apple’s EULA?

      • Cesar Ortiz

        Nope, we clearly saw the joke. It was gay and sucked hard.

        • nwd1911

          I should not laugh at this…but I couldn’t help myself.

        • Matt Laney

          I respect your opinion, as you are clearly a expert in being gay and sucking hard.

          • Cesar Ortiz

            You clearly do not. Nor did you understand what I mean’t by the means of “gay” or “sucked hard” ,

          • Matt Laney

            Then please, enlighten me with your infinite knowledge on the subject.

    • mitch326

      apple is good at bending people over

      • Keith

        Nothing is wrong with the phone….people just hold it wrong!!!

    • Bizzle9

      I thought your joke was tasteless, homophobic and totally hilarious.

      I like the cut of your jib.

      • nwd1911

        More people should say, “I like the cut of your jib.” And for that Bizzle, I like the cut of your jib.

    • Fit

      Took quite a while and many updates to fix that iOS lockscreen bug though.

  • gtbarry

    Read more than the headlines people: “How that distribution would actually occur is still theoretical. Exploiting via Google’s Play Store isn’t possible, since Google has already updated the platform.” You could only get this if you choose to use third party sites. Unlike apple you have choices with Android. And the choices include you can knowingly do the wrong thing by digging deep into settings and allowing “install from unknown sources” and actively searching for unknown places to download unknown software packages. Choice – gives you the ability to choose to not use common sense.

    • Cesar Ortiz

      Yup, so for us users that don’t tinker with third party sites .. this article is pointless

      • gtbarry

        Couldn’t agree more. Use only the Play Store, Amazon App Store and your brain.

        • Cesar Ortiz

          Mostly your Brain , without thinking, you probably download all kinds of app in the playstore that add malware or shortcuts .. :P

        • ScottColbert

          Amazon app store is vulnerable as well, you have to have unknown sources permission to use it.

    • Reg Joo

      That’s the reason there’s choice, you can’t let fanboyism cloud reality, the threat is real, now that it’s known ,every malicious hacker will try to exploit this, in so many different forms. These other app stores have to step up their game, if not leave them alone(I know I will, I’m not lame enough to just forget about the risk). Google , must have known about this years ago, how it’s explained makes a lot of sense, if I hacked, I’d find a way to use it. There’s a lot of bad people, trying to make a name for themselves, by destroying our fun. Don’t let them!

      • OptimusKLP

        No one is saying that the threat isn’t real but these tech sites are exaggerating the extent of this threat. Taking into consideration that most people DON’T side load apps or even know what “apk” means, this does not affect 99% of users.

      • Anthony Walker

        Who doesn’t know that downloading things from unknown sources can have serious consequences? People who are choosing to side load apps already know the danger and they still do it. Why are you worried about them if they’re not?

  • ArmageddonX

    Saying this is a security hole in Android is like saying cars force us to break the law because we can choose to go faster than the posted speed limit.

    It’s a simple process to not allow installations from unknown sources. Calling this a security hole is disingenuous and frankly untrue. The user is warned twice when checking this option.

  • uniquename72

    Another android ‘vulnerability’ that only affects idiots.

    • HitokiriX

      Which, by the headline, people seem to believe 99% of us Android users are.

      • Cesar Ortiz

        So he’s implying most of us android users are idiots? the only idiot we see in here is the one iOS user that doesn’t keep his articles over at the iOS site..

        • HitokiriX

          When it says the hole affects 99% of us and in actuality it doesn’t unless you take deliberate steps in order to be exposed to this flaw, then yes, it implies that.

      • Reg Joo

        I’m not gonna insult people by calling them idiots, but in reality, there’s a lot of truth to the statement, although the percentage isn’t so high. There are a lot of people that buy smartphones, just for their egos. I know every one of us, has been somewhere, in public, noticing someone with a dynamite phone, and are so clueless, as how to use it, and it makes you mad, because you wonder why they bought such a phone in the first place. Even a dumbphone would be too much for them. Some people can afford the latest,and greatest, but barely have a clue, and get the best to feed their ego, then their tech friend gets the phone, and checks that box, thinking they’re helping. If you hate your dumb friend, check it, he’ll be clueless( and take it back to the carrier).

    • Butters619

      Wait. So you are telling me I shouldn’t click on a random link and download an “update” from a website instead of the official app or Google Play Store? I dunno man.

      • Cesar Ortiz

        see butters? this is why we can’t have nice things. you are grounded! :P

      • OptimusKLP

        That’s it Butters, you’re grounded!

      • Fit

        Seems legit to me (lol)

    • chuckles87

      These troll posts by Kevin are getting f@(#!ng old. I’ve seen this on Google plus spread by a notorious apple fanboy.

      • Cierra Butler

        thats where i seen it

    • endinyal

      Right. And guys like you say that iPhone’s are only for idiots but WAIT… now you folks claim that there are idiot users using Android? Is that the best counter-argument you can come up with?
      If this were on iOS, you guys would be the first ones to preach to everyone that Apple should be sued into oblivion.

      The sad part (for Android) is that even with this huge, glaring security hole that would pretty much invalidate Android for serious use, it’s hardly even worth a blip of mention in the mainstream media since it’s not even considered worth the effort to report something that is essentially a botched system to begin with.

      • squiddy20

        Do you really understand how little this affects the hundreds of millions of Android users? First, you have to have “Unknown sources” checked. Most people don’t even know it’s a setting they can enable/disable. If it’s not check marked, this vulnerability doesn’t apply to you. There goes several million Android devices alone.

        Secondly, you would have to go outside of the Play Store as everything contained within is safe from this vulnerability. Again, not many people know or care about 3rd party app stores. What’s easiest is usually the best. So again, knock off a handful more million Android devices.

        Thirdly, it is possible that this could affect Amazon’s app store and a few others like it, but unlikely. You’re more likely to get a “cracked” app from some Chinese source that sells paid apps for free (pirating), in which case, you get what you deserve. And just because I sideloaded an app from XDA does not automatically mean I’m infected/vulnerable, since XDA is for the most part, pretty safe.

        Fourthly, Bluebox discovered a vulnerability. They didn’t discover an app in the wild that actually does this. Sure, someone could come along and make said app, but for the reasons stated above, the likelihood of it affecting anyone is nil.

      • uniquename72

        Instead of being an ass, how about thinking about my comment, genius.

        What I (obviously) meant was that only Android users who would be stupid enough to sideload random apps are vulnerable to this. Like most Android malware, it only affects idiots.

        Also, my gf* has an iPhone, so I’ve never said that only idiots use iPhones. It’s nice; it’s just not open enough to interest me.

        (*You do know what a gf is, right? It’s one of those people with vaginas who won’t talk to you.)

      • glumlord

        Not quite to the same degree but this is similiar to Jailbreaking your phone.

        You are going out of your way to use apps outside the recommended and preferred ecosystem.

        Do I need to mention the plethora of security risks when Jailbreaking an iOS device. It’s no different on Android. The title of the article is a bit misleading and that’s what the OP was trying to say.

  • Cesar Ortiz

    What a surprise ..Kevin Krause writing this type of articles…

    • squiddy20

      This is the the first thing I thought of when seeing the title and author as well…

  • vawwyakr

    The really stupid part here is that the risk comes from installing an app from an untrustworthy source. The thing is if the risk here is from such a source then installing it in the first place is a problem! Because it could have just as easily been a malicious app upon initial install. News sites are running around screaming about this but really a non-story. Until someone can hijack official google market updates (without needing to hack into a dev’s account…because in that case you could just put your malicious code into a normal update) then I don’t can fathom how this is dangerous.

    • Reg Joo

      The only time I sideload anything, is when I get unsupported apk’s for rooting purposes, that I know google play won’t allow(usually by pc). I leave other appstores alone anyway, they only seem to interested in games, and other frivolous things. I do much better getting what I need thru the pc. I scan it first thru the pc’s antivirus, then I run it thru my avd manager. If it passes that, I install. There’s no reason the alternative appstores don’t check what they put out, it makes good business sense.

  • MG83

    A newly discovered iOS editor, who recently jumped ship, has found his way back through a security hole at Phandroid. The malicious updates are disguised as legitimate news updates, and Phandroid is doing little about it.

    • Cesar Ortiz

      You sir, made my day.

    • Blkegk

      you sir, made my post of the year!

    • ntegrit

      Nicely done!

    • ArmageddonX

      Well played =)

    • Janice S. Roberts

      just as Laura said I cant believe that anybody able to profit $8363 in 4 weeks on the internet. have you seen this webpage w­w­w.K­E­P­2.c­o­m

  • ScottColbert

    Fortunately there’s an article about it on Android Central based on fact, written with actual skill.

    • NightAngel79

      Is that a joke? Lol

      • ScottColbert

        No the joke is Krause and his half assed attempts at writing, not to mention most of what is on this site these days.

      • squiddy20

        Is THAT a joke? The AC article he’s referencing has at least 4x the amount of words, that go much much further in depth on the issue, along with presenting possible remedies/solutions. Hell, their explanation of what it is alone is longer than this “article”, and presents none of the doom-and-gloom that Kevin and most other sites that reported on this seem to think there is.

        Yes, it affects 99% of all Android devices, IF you get your apps from somewhere other than the Play Store, AND if you have that “Unknown Sources” checked, AND if you’re stupid enough install an app from some shady/unverified source. That effectively puts the percentage of people this affects at maybe 10%, more than likely less. Also, considering the average Android user has no idea that you can sideload apps, let alone that there’s a checkbox to enable it, makes this basically a non issue.

  • tom-e

    This news came out like a week ago… Trying to make a story outta nothing.

  • Jerel Butler

    Want to know something strange on a diffrent site last night I read this article and the comment section lit up and the “writer” of that article was a Ios user. as I read through the comments they mirrior each other, even tho google handled it in febuary

  • squiddy20

    It might possibly affect “99% of devices” IF you download from places other than the Play Store, and are a complete and total idiot. Most people don’t even know there’s a checkbox to allow sideloading of apps.

    Just another FUD piece by none other than iPhone loving Kevin Krause. If you want something infinitely more detailed and less doom-and-gloom, go read Android Central’s article on this same topic: http://www.androidcentral.com/making-sense-latest-android-security-scare

    • OptimusKLP

      “It might possibly affect “99% of devices” IF you download from
      places other than the Play Store, and are a complete and total idiot.
      Most people don’t even know there’s a checkbox to allow sideloading of
      apps.”

      Yes exactly! Ask any casual user what “side loading” means and how many will know the answer?

  • Keith

    Oh nooooooo….just another thing to add to the list of latest and greatest malware/trojan/virus that will take over our phones…but does it ever happen? How many phones actually get infected with this stuff? They throw out all these worst case scenarios like all of our phones are going to fall victim but it never happens….

    It’s one thing if they just said be careful and don’t download from some shady third party app store, but they just use some scare tactics and it usually originates from a security company hoping you will buy their services.

    Why don’t you write a good story about the NSA surveillance, you know something that actually happens.

  • itsgonnalast

    I see dozens of headlines similar to this one on Google News. A more accurate (but less dramatic) headline might be “Users of third-party Android app stores are affected by security flaw.”

  • itmustbejj

    Not only is this just an issue for side loading third party apps, but to be a really significant threat, it would have to be a sideloaded app with root level permissions. 99% indeed.

  • John Wentworth

    Overstated, this only affects people who sideload and install apps from outside Google Play, while a number of users on phandroid might do that, overall most Android users do not install apps from unknown sources. It’s an issue, no doubt that is being remedied but by patching the google play store (which is already done) I actually effectively solves the problem for the vast majority of people already, unknown sources has always been kind of dangerous. I use it occasionally myself but you have to be careful.

  • pr0xidian

    The only apps I’ve ever side loaded were adblock and adobe flash. Got both from xda devs which I trust.

  • sdrawkcab25

    yawn…must be a slow news day….

  • hemipw54

    Crud Apple is at it again, reminds me of the Micro$oft F.U.D. years.

  • Jason Crumbley

    I thought this was an actual problem until I read the story. I then realized the only problem is that this guy is allowed to write articles for this site.

  • ikillflesh

    flashing a rom every 12 hours effectively fixes this bug.

  • Johnone

    So great that this information could help us a lot about android phones. Nowadays, many android phone online store that sell different android phone brands. Only there is the description and no satisfactorily information to broaden our knowledge about iphones. Thanks to this site!

  • toomuchgame441

    You Android drones are the worst… You think Phandroid is the only site that write these types of articles? Android is probably the most vulnerable operating system, and tis is coming from a huge Android lover. But I’m not so blind to see that this OS is attacked the most compared to other mobile OS’, it may not effect several of us folks that frequent this site or other tech sites but it effects a lot of users,even those just download direct from the play store

  • Forever Phat

    We already knew android was full of malware and fart apps.