Android re-exposure hacker can fake formal application

Sina Science and technology news in Beijing July 30 morning, a study published in Tuesday showed that Google's Android operating system has a security loophole that allows hackers to fake trusted formal applications, thereby hijacking a user's smartphone or tablet computer. The fundamental problem, says security company Bluebox in the report, is the way Android validates its identity. Authentication is one of the most fundamental problems in the Internet world. For example, is the person who is logged into a bank account the owner of the accounts? Is the application really as it claims? The main business of Bluebox, based in San Francisco, is to help businesses protect data security on their mobile devices, so the company's employees are studying and understanding the architecture of mobile operating systems. Each Android application has its own digital signature, or ID card. For example, Adobe has a specified signature on Android, and all programs developed by the company have an ID based on that signature. But Bluebox found that Android did not verify the ID's authenticity to Adobe when an application flashed out the Adobe ID. In other words, cyber criminals can exploit fake adobe signatures to develop malicious software that infects users ' systems. Of course, the issue is not limited to Adobe: Hackers can also create a malicious application that fakes Google's wallet and then access the user's payment account and financial data. System management software also has the same problem, allowing hackers to control the entire system. Bluebox said the issue would affect the Android 2.1 system and later released in January 2010, but the latest Android 4.4 Kit Kat system has fixed Adobe-related vulnerabilities. But the number of devices affected remains large, according to Gartner, a US market research firm, which has 1.4 billion new shipments of Android equipment in 2012-2013, and is expected to add 1.17 billion more shipments this year. We thank Bluebox for their serious and responsible work and for their report to us. Third-party research has been one of the ways the Android system has progressed. Google spokeswoman Krisdorf Ketsaros Christopher Katsaros said. The issue highlights how security researchers and Google are dealing with security vulnerabilities, but it also suggests that such issues are complex: not only the need for Google co-ordination, but also the collaboration of many developers and device manufacturers. Bluebox said the company completed the study at the end of March this year and submitted the loophole to Google on March 31. The Android security team developed a solution in April this year and submitted it to the relevant vendors. As a result, these companies had 90 days to patch the vulnerability before Bluebox published the results. Bluebox already has about 6,300 Android devicesSome 40 were selected for testing, but only one vendor seems to have patched the vulnerability. Google spokeswoman Ketsaros said the company has improved its security by improving Google Play and verify apps to protect users from false ID issues. We've scanned all apps submitted to Google Play, and Google Google's app for evaluation outside Google Play, and there's no evidence that anyone is trying to exploit the vulnerability. Ketsaros said. Bluebox plans to discuss the issue at next week's Black Hat hacking conference, which is expected to be followed by more security-related news. (Ding Macro)