Handset makers are slow to push fix to users, and fragmentation is not helping in the enterprise.
Google quickly addressed a mega flaw in its Android mobile operating system after security researchers brought it to the company’s attention earlier this month, but those fixes appear to be slow in reaching handset owners.
“Samsung and HTC have both shipped some patches for some devices,” Adam Ely, co-founder of Bluebox, told CSOonline. Bluebox uncovered the vulnerability that could impact 99 percent of some 900 million Android devices in the world.
“The information from the manufacturers and carriers that’s coming in is pretty spotty,” Ely said.
Typically, handset makers push fixes to their latest models before addressing problems with older models. “They generally will first fix whatever’s most popular in their market, whatever they’re trying to push, and work backwards,” he said.
“Almost all OEMs don’t care about phones that were sold more than a year ago,” said Pau Oliva Fora, an Android analyst with viaForensics. “Not even Google has pushed updates to its Nexus phones yet.”
Rapid7 Vice President and General Manager for Mobile, Giri Sreenivas, agreed that handset makers aren’t being very transparent about how they’re tackling the Bluebox vulnerability.
“It’s likely that the first devices to see the fix beyond the Nexus devices, which are managed by Google, will be the Google Experience devices from HTC (HTC One) and Samsung [Galaxy S4],” Sreenivas said.
Nexus-branded Android devices are manufactured for Google by several handset makers and are usually the first to get updates and fixes.
Google said it has furnished its Android partners with a patch to address the problem. “Some OEMs are already shipping the fix to their Android devices,” Google spokeswoman Gina Scigliano said in an email. “Nexus devices will receive the fix in an upcoming software update.”
While the vulnerability which allows digital desperadoes to turn any legitimate application into a malicious Trojan been undetected in Android for four years, it seems to have escaped the notice of the hacker community.
“We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools,” Scigliano said.
In addition to the patches it’s pushing, Google has also configured its online app store, Google Play, to scan apps distributed through the outlet for the defect, as well as offering a program called Verify Apps to check apps obtained from outside Google Play for the flaw.
Shortly after Bluebox discovered its master key vulnerabililty — named so because it allows a hacker to modify an application package (APK) without breaking its cryptographic signature — a similar vulnerability was posted to a Chinese language website.
“Google has patched the second vulnerability posted on the Chinese website, but similar to the master key vulnerability, there is no transparency from the OEMs about how and when to expect these patches to reach end-user devices,” said Rapid7’s Sreenivas.
“In an interesting twist,” he said. “The Cyanogenmod communities are already starting to incorporate the fixes from Google; therefore, we are seeing custom ROMs running on jailbroken devices and offering a level of protection that other devices are not able to offer.”
Although one of the co-founder’s of Android, Rich Miner, recently discounted the negative impact fragmentation has had on the operating system, Bluebox’s Ely said his firm had found that the ecosystem’s fractured landscape was definitely contributing to mitigating the serious problem.
“It’s a challenge because of fragmentation in the market,” Ely said. “Enterprises are having trouble keeping track of what’s [been] patched, what hasn’t.”
Google patched the problem fast, but now the patches have to be tested on the myriad versions of Android out there running on an assortment of handsets, he said.
“That’s what makes this difficult,” Ely said. “It’s the number of places it has to be fixed, which is the result of fragmentation in the market.”
While the Bluebox exploit has been treated as an apocalypse waiting to happen by some, others are more sanguine about the discovery. “These issues have been blown out of proportion,” said Ken Pickering, development manager for security intelligence at Core Security.
“Yes, you can bypass signature checks, but the Google Play Store is already scanning for this malware,” Pickering said. “So, unless you’re rooting your phone and sideloading applications, the majority of users should be unaffected by these defects.”
“Don’t get me wrong, it’s a bad bug,” he said. “But the actual exploit would be very hard to reproduce on the majority of environments, and it would only affect a minority of users.”