has discovered a vulnerability in Android, active for four years, which allows a hacker to convert any legitimate application digitally signed a Trojan capable of stealing data or even take control of the device.
researchers have been Bluebox Security, a mobile security startup, which have detected the error, on speaking at the upcoming Black Hat USA conference .
appears that the vulnerability has to do with differences in how Android applications are cryptographically verified, allowing an attacker to modify the application packages, or APKs , without breaking their signatures .
When an application is installed and creates a sandbox for it, researchers say in a post, Android records the application’s digital signature. Thus, any application update checks the signature to make sure it comes from the same author.
The vulnerability, which exists since Android 1.6 , allows attackers to add malicious code to those already signed APKs without breaking their signatures and affects all terminals launched during the last four years .
According to the researchers, depending on the type of application, an attacker can exploit the vulnerability to everything from data theft to the creation of a mobile botnet .
Google is aware of the problem since last February and shared the information with their partners. Samsung Galaxy S4 , for example, already has a patch.
firmware updates available for this problem will be different depending on models, manufacturers and operators.
Now you can read articles on Google Currents ITespresso Subscribe
No comments:
Post a Comment