Over the last few days much has been written about a serious security hole in the Android operating system that can give attackers complete access to affected mobile devices. Bluebox, the discoverers of the security hole, estimate that 99% of Android devices since v1.6 are vulnerable to the vulnerability. And although there are some patches out there, the waiting time and thus the time spent without protection could be very long or even permanent for many users, because many devices will probably not receive the patch.
The fact is that attackers can gain access to all the data and functions on a device if they exploit the vulnerability. Android apps, .apk files, are changed by the attackers. Malicious elements are added that are not detected by vulnerable systems in security checks.
In simple terms, the apk file is a container for a set of files – a .zip archive with a different name. The files in the container are subjected to an authenticity check on installation and checked against cryptographic checksums. The checksums are stored in the Manifest.MF file, which is also stored in the .apk file.
If files in the container have been changed and thus do not match the stored checksums, the installation is stopped. This security step functions flawlessly.
The current problem is that attackers do not change the existing files in the container but instead add modified duplicates of the files to the container. These duplicates are not subjected to the security check. The check is done on the original file. But due to an error, the file that is installed is the modified, malicious duplicate.
Attackers can exploit the vulnerability to gain access to the device in various ways:
According to reports, Google has already reacted and forwarded the necessary information to the device manufacturers. Now users have to wait for the corresponding update or patch for their mobile devices. Unfortunately the update policy and system-related update options for Android devices have often been the real stumbling block. Also, there is great fragmentation across manufacturers, telephone providers and different devices, which is more of a curse than a blessing in such cases and leads to less than ideal security conditions. Many devices will presumably never receive an update because they have already passed the “end-of-life” date defined by the manufacturer.
Until an official update/patch is available for their respective devices, users should do the following: