By John P. Mello Jr.
TechNewsWorld
07/23/13 11:13 AM PT
Apps are turning up in Google Play with the MasterKey vulnerability, which could allow malware exploits in phones that don't have Google's fix installed. You could be at risk, if you're using an Android phone that can't upgrade to Jelly Bean. "Google Play's miss in the detection of these apps is evidence that we can't rely on using that market to stay safe," said Webroot's Grayson Milbourne.
Despite yeoman efforts by Google to close a critical hole in its Android mobile operating system that allows any app to be turned into a malicious Trojan, programs are still appearing in the company's Google Play store with the flaw.
A number of apps containing the so-called MasterKey vulnerability were discovered by cybersecurity firm Bitdefender last week.
"There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game's interface," Bogdan Botezatu, a senior e-threat analyst with Bitdefender, wrote in a blog post.
"This means that the applications are not running malicious code -- they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake," he added.
Although the infected apps are benign, they raise serious questions about the ability of Google Play to protect its customers from the bug.
"This kind of app should not work in the first place," Botezatu told TechNewsWorld. "It should not be making it to the Google Play store."
Free Fix
The inclusion of the flaw is likely an oversight by the developers of the apps -- but it's nevertheless disturbing, said Webroot Security Intelligence Director Grayson Milbourne.
"Google Play's miss in the detection of these apps is evidence that we can't rely on using that market to stay safe," he told TechNewsWorld.
Google did not respond to our request to comment for this story.
Google has released a fix for the MasterKey vulnerability, but many Android users may still remain at risk.
"While Android 4.2 users may have the fix from Google, there are still thousands of Android users with older devices that aren't capable of upgrading to that OS and will never get that patch," Milbourne noted.
To address that problem, Webroot last week released a free version of its SecureAnywhere Mobile fogtwware that will address the MasterKey vulnerability in older versions of Android.
Unholy Trinity
Although Google acted quickly to address the MasterKey flaw, it remains to be seen how quickly its fixes will reach Android users.
Google, the handset makers and the wireless carriers represent an "unholy trinity" in the Android world that prolong the exposure of users to exploitable vulnerabilities, maintains Randy Abrams, aresearch director for NSS Labs.
"Not only are users marooned in obsolete versions of the Android operating system that do not include the most recent security enhancements, but those with current versions of the operating system are left in jeopardy for unjustifiably long periods of time," he told TechNewsWorld.
The Google-OEM-carrier troika needs to assign and coordinate security teams that specify reasonable time frames for operating system upgrades to be made available for devices, Abrams argued, with the power to support newer OSes or with patches where OS upgrades are unfeasible.
If upgrades and updates are not provided in a reasonable time frame, then a penalty should be imposed on the responsible parties, he suggested.
"The unholy trinity can figure out amongst themselves who is responsible for the delay and how much, but meaningful remuneration to customers should be required in order to provide economic incentive for responsible security practices," added Abrams.
BYOD Policies
The Bring Your Own Device movement appears to be spreading faster than security pros can keep up with it.
Almost 60 percent of organizations surveyed either didn't have a policy that specified how employees may use their own devices in the workplace (41 percent) or were just planning to write such a policy, found a study released last week by Acronis and the Ponemon Institute.
Putting together a good BYOD policy should involve not only an IT department, but also Human Resources, observed Amtel CEO PJ Gupta.
"You may need special HR policies to govern what content is suitable on a personal device being used in the workplace," he told TechNewsWorld.
An organization may also want to include some kind of geofencing in the policy.
"That means if a device comes inside a workspace, then certain functions will stop working," Gupta said.
A BYOD policy should also convey to employees what's expected of them when they use their own device and have corporate data on it. Cisco, for instance, has a "trusted device standard" made up of nine elements for employees using their devices on the job.
"They're not onerous," said Steve Martino, vice president of information security and acting CISO of Cisco.
"They're straightforward things like have antivirus, encrypted disk, password with a screenlock," he told TechNewsWorld. "They're the kinds of things people should already be doing for their personal device."
Breach Diary
- July 15. New York Office of Medicaid Inspector General reports that an employee exposed the records of 17,743 records of Medicaid recipients by mailing the information to a personal email account.
- July 17. International Organization of Securities Commissions and the World Federation of Exchanges releases study revealing that 53 percent of the stock exchanges surveyed by the organization had been hit by cyberattacks. The most common assaults were Distributed Denial of Service attacks.
- July 17. University of Virginia reveals Social Security Numbers of 18,700 students were exposed on the address labels of open enrollment materials mailed to students by its healthcare provider.
- July 17. Brian McCarthy, former supervisor at the Federal Reserve Bank of Chicago, pleads guilty to a federal misdemeanor charge for stealing computer files containing confidential information relating to the bank's responsibility to assess and monitor its credit risk exposure.
- July 18. Nasdaq alerts members of its community forums that their passwords have been reset due to a data breach that may have compromised the members' passwords, email addresses and usernames. No trading or commerce platforms were affected by the breach, Nasdaq said.
- July 18. Perkins Cole releases annual free report of state-by-state analysis of data breach notification laws.
- July 18. U.S. House Energy and Commerce subcommittee on Commerce, Manufacturing and Trade holds public hearing on bills to establish a national data breach notification law that would supplant existing state laws.
Upcoming Security Events
John Mello is a freelance technology writer and former special correspondent for Government Security News.
Just Another Mobile Phone Blog ...
0 comments:
Post a Comment