Researchers are sounding alarms over the discovery of yet another security vulnerability in the Android mobile platform.
The flaw, first spotted by researchers in
China, would potentially allow an attacker to manipulate an otherwise
legitimate Android APK to execute malicious code without detection by
the system.
According to researchers with Sophos, the
vulnerability itself lies in the way Android handles the compressed APK
files themselves. By modifying an application's .dex file to be a
certain size, an attacker could potentially instruct the system to skip
the execution of legitimate code and instead run attack code.
The result, says Sophos researcher Paul
Ducklin, is a method which could allow malware writers to modify and
redistribute applications with their attack code embedded inside.
“That's a bug in any language, and an
discomfiting one for Google, whose security teams will surely consider
this an elementary mistake that ought to have been caught in testing, if
not during code review,” said Ducklin.
The discovery of the flaw comes in the
wake of another high-profile security disclosure for the Android
platform. Known as the 'master lock,' vulnerability, that flaw afflicts
some 99 per cent of Android devices.
According to Ducklin, the new security
hole is not likely to be as prevalent. He noted that implementing the
attack requires files to be a specific size and length as well as a
certain name. He noted that many Android applications to not appear to
be compatible with the attack technique.
The flaw has already been addressed by Google and can be patched by installing the latest firmware updates from the company.
As Ducklin noted, however, the Android
ecosystem, which relies on hardware vendors to distribute updates, could
leave many users running devices which are still vulnerable to attack.
“Although Google has indeed responded
quickly by patching both holes, and should be commended for its
efficiency, that doesn't get the fixes out into the wider world,” he
said.
“It remains to be seen how hard Mountain View will lean on its many
handset licensees to push out firmware updates for the 'extra field' and
'master key' flaws, since they go to the heart of application
verification on the Android platform.”
No comments:
Post a Comment