General Gaming Article

Security Firm Finds Gaping Hole in Android’s Security Fabric

Posted: 04 Jul 2013 08:33 PM PDT

Nearly 900 million devices running Android 1.6 or later at risk

The Black Hat USA 2013 security conference does not get underway until July 27, 2013, but there is already plenty to look forward to, with the folks at Bluebox Security dropping a bombshell by claiming to have unearthed a yawning hole in Android's security fabric and promising to shed some technical light on the vulnerability during the upcoming conference.

Bluebox Security CTO Jeff Forristal announced the discovery in a blog post titled, rather chillingly, "uncovering Android master key that makes 99% of devices vulnerable." According to the company, the said vulnerability makes it possible for a hacker to "modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user." With nearly 900 million devices running Android 1.6 or later believed to be affected by this vulnerability, the implications, says the company, are massive.

"While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access," the company's CTO wrote.

"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)," Forristal further wrote, adding that the a hacker could also use it to create a botnet.

Based on the blog post, Bluebox has known about the bug since at least February, when it "responsibly disclosed" all the relevant technical details to Google.

"It's up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."

Follow Pulkit on Google+

Newegg Daily Deals: Sound Blaster Recon3D Fatal1ty Sound Card, Mushkin 240GB SSD, and More!

Posted: 04 Jul 2013 05:41 AM PDT

Sound Blaster Champion Fatal1ty newegg logo

Top Deal:

Let's say you own a muscle car, maybe a Dodge Challenger or a Ford Torino. Would you slap a set of budget tires on your ride? Of course not! You'd make sure you invested in rubber that can handle a V8 on long stretches and around curves, and for the same reason, you shouldn't subject your rockin' studio speakers to onboard sound. Contratry to popular belief, there's still a market for discrete audio, and for those who can take advantage of superior audio, have a peek at today's top deal. It's for a Creative Sound Blaster Recon3D Fatal1ty Champion Sound Card with Sound Blaster I/O for $100 with free shipping (normally $150). This thing is powered by a quad-core audio processor and boasts a 102db SNR. Make those speakers roar!

Other Deals:

Xigmatek ASGARD 381 ATX Mid Tower Computer Case for $25 with free shipping (normally $50 - use coupon code:[AFNJ2246])

Logitech G700 Black 13 Buttons Tilt Wheel USB RF Wireless Laser Gaming Mouse for $80 with free shipping (normally $100)

ASRock Z77 Extreme3 HDMI SATA 6Gb/s Intel Motherboard for $125 with shipping for $6

Mushkin Enhanced 240GB SATA III 7mm Internal Solid State Drive for $175 with free shipping (normally $210)