Bluebox, a mobile security firm, billed the exploit as a “Master Key” that could “turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user”. In a blog post last week, Bluebox CTO Jeff Forristal wrote that nearly any Android phone released in the last four years is vulnerable.
Bluebox’s claims led to a fair number of scary-sounding headlines, but as Google points out, most Android users are already safe from this security flaw.
Speaking to ZDNet, Google spokeswoman Gina Scigliano said that all apps submitted to the Google Play Store get scanned for the exploit. So far, no apps have even tried to take advantage of the exploit, and they’d be shut out from the store if they did.
If the attack can’t come from apps in the Google Play Store, how could it possibly get onto Android phones? As Forristal explained to Computerworld last week, the exploit could come from third-party app stores, e-mailed attachments, website downloads and direct transfer via USB.
But as any Android enthusiast knows, Android phones can’t install apps through those methods unless the user provides explicit permission through the phone’s settings menu. The option to install apps from outside sources is disabled by default. Even if the option is enabled, phones running Android 4.2 or higher have yet another layer of protection through app verification, which checks non-Google Play apps for malicious code. This verification is enabled by default.
In other words, to actually be vulnerable to this “Master Key,” you must enable the installation of apps from outside Google Play, disable Android’s built-in scanning and somehow stumble upon an app that takes advantage of the exploit. At that point, you must still knowingly go through the installation process yourself. When you consider how many people might go through all those steps, it’s a lot less than 99 percent of users.
Still, just to be safe, Google has released a patch for the vulnerability, which phone makers can apply in future software updates. Scigliano said Samsung is already pushing the fix to devices, along with other unspecified OEMs. The popular CyanogenMod enthusiast build has also been patched to protect against the peril.
Android’s fragmentation problem does mean that many users won’t get this patch in a timely manner, if at all, but it doesn’t mean that unpatched users are at risk.
None of this invalidates the work that Bluebox has done. Malicious apps have snuck into Google’s app store before, so the fact that a security firm uncovered the exploit first and disclosed it to Google is a good thing. But there’s a big difference between a potential security issue and one that actually affects huge swaths of users. Frightening headlines aside, this flaw is an example of the former.