Security problems for Android are piling up, with an additional two vulnerabilities discovered in the mobile operating system over the last 24 hours, including one that was said to have been exploited in a $5,700 Bitcoin heist, and a second that allows cybercriminals to control malware on infected devices via the Google Cloud Messaging service.
In the first instance, Google’s Android security team has already put out a fix for the mobile operating system’s Java-derived pseudorandom number generator, or PRNG, after some Bitcoin users reported small amounts of money being stolen. The bug in PRNG meant that Android would occasionally issue the same random number twice, which meant that hackers were able to ‘guess’ the private keys of some Bitcoin wallets stored on Android phones and tablets. In those wallets that were compromised, hackers were able to steal small amounts of money totalling some $5,700.
Android security engineer Alex Klyubin revealed the problem in a blog post on Wednesday, writing that the bug impacted apps using Java Cryptography Architecture (JCA) that failed to properly initialize the underlying PRNG, as well as apps that use the OpenSSL PRNG in Android without “explicit initialization”.
The problem is thought to have affected hundreds of thousands of applications, according to security firm Symantec. Even so, the affect the bug had on Bitcoin wallets is fairly unusual, because details of these app’s transactions are published in the public domain, which makes it easier for cybercriminals to work out their private keys. Symantec said that the PRNG’s failure to properly generate random numbers made the wallets less secure, although the risk to users was still low.
Android might have fixed the PRNG flaw, but a second, potentially even more worrying vulnerability has been discovered with its Google Cloud Messaging (GCM) service that allowed developers to send and receive messages from apps installed on devices. Google Cloud Messaging works by allowing developers to send upto 4KB of structured data from their own server, through Google’s GCM servers, to user installations of their apps. These messages can be sent to devices even if the app has been disabled, as Android will automatically wake them up when it receives a message.
GCM messages are typically used to send text ads, links and commands to the apps, said Kaspersky Lab’s researcher Roman Unuchek in a blog post on Wednesday.
Unfortunately, these same messages can also be used as the primarmy or secondary channel to control and direct malicious apps installed on Android devices, said Kaspersky.
One of the most common malwares that uses this exploit is known as Trojan-SMS.AndroidOS.FakeInst.a, and works by sending SMS messages to premium-rate numbers. It can also be used to generate shortcuts to malicious websites, display ads that recommend other malicious apps, or delete incoming SMSs.
To date, Kaspersky says that it’s uncovered more than 4.8 million FakeInsta.a installers on Android devices, and has succesfully blocked more than 160,000 attempts to install the Trojan onto people’s devices. Even so, researchers have detected the Trojan on devices in more than 130 countries, with the majority of them being found in Russia, Uzbekistan, Ukraine and Kazakhstan.
The problem with GCM is that neither the users or mobile antivirus programs are capable of stopping these malicious messages once the app has been installed onto the device, because the OS itself is receiving them. The only way to prevent them being sent is by blocking developer IDs that are being used to register malicious apps with GCM, which is of course something that the average user isn’t capable of doing.
Unuchek says that GCM offers malware writers a cheap and easy tool to command their malicious programs, and warns that it’s highly likely this kind of abuse will grow if Google doesn’t develop any countermeasures soon.