Jul 05, 2013 12:10 PM EDT
Android Malware Allows Hackers to Send Texts, Make Calls and Access Your Camera
The Bluebox Security Firm discovered a weakness in Android's operating system that would allow hackers into the phone without alerting the app store, the phone or the user, according to a report from the company's chief technology officer Jeff Forristal.
The weakness could affect any phone manufactured since the release of Android's operating system 1.6 "Donut," which is any phone made in the last four years - nearly 900 million. The security flaw may expose personal information stored in select apps or on the phone itself.
Forristal wrote the operating system's weakness makes it easier for hackers to install Trojan malware on a phone by accessing an application on the device. From there, the hacker can obtain information from that app and, if the app is developed by the phone's manufacturer, from the device itself (texts, e-mails, contact info). The malware can also "take over the normal functioning of the phone and control any function thereof," he wrote.
That means the Trojan virus can send random texts, place arbitrary calls and even operate the phone's camera.
"Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these "zombie" mobile devices to create a botnet," Forristal wrote.
All Android applications are designed with their own cryptographic signature that makes it easy to verify if the app has been tampered with. The vulnerability essentially makes it possible for hackers to break into the app, and into the phone, without altering the signature at all, leaving the user, the phone and the app oblivious.
Forristal wrote that Bluebox reported the bug to Google and said it will now be up to the manufacturers to develop updates to their firmware that will fix the problem.
Forristal is set to be a keynote speaker at the Black Hat USA 2013 conference at the end of July and will give a talk on the Android bug. Afterwards, he will follow up his talk with a blog post giving further details with elements of the address.
Join the Conversation