- City Fajr Shuruq Duhr Asr Magrib Isha
- Dubai 04:25 05:43 12:19 15:46 18:50 20:09
(AP)
Last week, Bluebox Security firm has uncovered a new vulnerability for Android phones which could allow installed apps to be modified without the user being aware of it.
According to it, just about any app in the Android Play Store can be converted into a nasty Trojan horse.
The remarkable thing in the episode is that this vulnerability in Android had gone unnoticed for the past four years, starting with Android 1.6 Donut. Additionally, ‘Master Key’ malware, as it is commonly known, can potentially affect 99 per cent of Android devices in the market.
According to their recent studies, it seems that only Samsung Galaxy S4 smartphone has the patch that can combat this new threat.
However, all you Android fanboys out there, there is no point panicking. After exposing the deadly vulnerability, the nice guys at Bluebox Security research have now released an Android app to help users ascertain whether their system is vulnerable or safe from the security flaw.
The app, Bluebox ‘Master key’ Security Scanner, is now available on Google’s Play Store and is free to download and install.
According to the app developers, the security scanner will scan your device to determine:
- If your system is vulnerable or patched to the Bluebox "Master key" security flaw affecting most Android devices
- If your system settings allow non-Google Market application installs
- If any installed application on your device is trying to maliciously take advantage of the security flaw
According to Internet security firm Trend Micro, even as the “master key” vulnerability has attracted considerable media attention, it has not always been accurately reported.
The security firm says it has updated Trend Micro Mobile Security to protect its users, but at the same time has sent out a brief on what is going on, what the threat is, and what users can do. Here goes:
What’s this “master key” vulnerability?
The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route.
An app can only be updated if the new version has a matching signature from the same developer.
This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.
Note that technically, there is no “master key” that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no “master key” in the first place.
What are the risks?
This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with much permission – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.
Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.
What can users do to protect themselves?
Trend Micro has updated its Mobile App Reputation Service to detect apps that abuse this vulnerability, but so far it has not found any. The firm has also released an update to the pattern to ensure that it will detect apps that target this particular vulnerability.
In addition, Trend Micro strongly suggests disabling the ability to install apps from sources outside of Google Play. This setting can be found under Security in the system settings of Android devices.
Google has made some steps to protect users. They’ve modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat. The company also released a fix for the vulnerability and distributed it among OEMs.
ALSO READ:
Revealed: New video of BlackBerry A10
It’s official: Dubai’s International City gets costlier
Video: World's largest building opens
Follow Emirates 24|7 on Google News.