There is a new Android OS vulnerability that has surfaced in recent weeks. It is being called the ‘Master Key’ security hole. The vulnerability allows hackers to create an app that poses as a legitimate approved app, and it affects all Android operating systems since version 1.6 ( a.k.a. – Donut). If someone downloads an app that claims to be Angry Birds, but is actually laced with the hacker’s own malicious code, hackers could potentially take full control of the device. Another attack vector is this: You go to a third-party site to download and install a free flashlight app. When you install this app, you get the flashlight, so everything looks fine. Behind the scenes the malicious hacker code inside your new app replaces Angry Birds on your phone with a compromised version that gives the hacker access to your device. The level of access the hacker gets to your phone depends on the permissions granted to the app they replace. This opens the door for hackers to steal data or even use your device as a part of a botnet to conduct other large-scale cyber attacks online. The worst part about this vulnerability is that users would not be aware that their device has been compromised.
The main misconception about this threat is that every single Android device out there is now automatically compromised. This is simply not true. Just like with computer viruses, you have to expose yourself to the threat (go to a malicious website or download a malicious file, etc) AND be vulnerable at the same time in order for your system to be compromised. What this means for Android users is that you just need to be cautious when you install apps. Even if this new vulnerability did not exist, it is good practice to check the reputation of the app developer before installing their app. If they only have 100 downloads and negative or no ratings, you should think twice about installing it. The best and safest way to download Android apps is from the Google Play Store. As stated on NBCnews.com:
“As long as you’re downloading apps from Google Play, the tech giant’s own app store, everything’s fine. Google has made sure that no modified versions of legitimate apps can be made available through Google Play.”
Above quote taken from NBCnews.com story found here.
Device manufacturers are being urged to publish firmware updates to patch this vulnerability. You should check your device manufacturer’s website to see if they have issued an update for your model phone or tablet. Updating your device is another way to protect yourself from this threat, but not as simple as being educated about where to download your apps.
So don’t trash you Android device and go out and buy an iPhone or iPad just yet. The future is still just as bright as it has ever been for Android devices. If you follow the advice above, you will remain safe, and your Android device will remain happy.
Another good source on this topic: https://www.securityweek.com/android-vulnerability-lets-attackers-covert-legitimate-apps-trojans
Leave a Reply