About 900 million devices or all those which were released in past 4 years are at a huge risk of security threat. As stated by Jeff Forristal, CTO of the Bluebox Labs, there resides a huge vulnerability in the Android such that it can easily let an intruder pass through the application’s cryptographic security layer by altering the APK code and then can easily convert the normal app into a malware or Trojan. Vulnerability undoubtedly prevails with the launch of Android 1.6 Donut.
Forristal warned by saying that once an intruder changes the app into nefarious piece of code it can harm the user severely such as stealing of data or using the mobile to spread viruses and malwares.
While the above risk stands as to be very severe to face off, another bigger risk can be counted on by the mobile device manufacturers. These companies (HTC, Samsung, Motorola and LG) have special permissions insidious the UID within the Android. Such thing, as concluded by Forristal can cause a huge chaos as the devices itself will be containing Trojans and hence shall all the applications. Phone calls, SMS, e-mails along with the usernames and passwords then will be controlled by the hacker.
How does it affect?
Conflict, sustaining in the working of the Android’s cryptography about verification process has led the alteration of the APK code that too without even touching the cryptographic signature.
By default, all the applications of the android consist of the cryptographic signature which is verified for confirming the legitimacy. This kind of security loophole will allow the hacker to change the legitimate app in to the malwares. By not affecting the cryptographic signature at all hacker can successfully deceive the Android to trust that the app is untouched.
Cryptographic Signature is a kind of digital file which is generally associated with the e-mail, electronic documents and applications. This helps in verifying the legitimacy of the application and that it hadn’t being modified.
Why is Android such unsafe?
Because of its open- source nature and full privilege to be customized, android is favorite as well as unsafe. No keys are required when it comes to exploit the android applications/users.
Following tips should be considered in order to stay safe:
- Make sure that the publisher of the app is considerate and identifiable enough before downloading the app.
- Once should always update their devices and if you are an enterprise you should inspire users to keep updating their applications and software.
- Always download app from the trusted source i.e. “Google Play Store” and that too after verifying the publisher’s identity.
According to recent news, Google has changed its procedure of accepting the apps in its Play Store this will keep the exploited apps away from the store and hence is not spread by the Google.