While there is no doubt that Android is putting up a good fight in the smartphone industry, there are still resilient issues that keep on haunting the operating system. If you have been following the Android platform for quite some time, you'll know that it's not doing so well in terms of security, at least when compared to other platforms. There have been numerous reports of malware and exploits that plagued Android over the years. Now, a new report emerges stating that a 'master key' exploit has been found that enables bad guys to access just about every Android phones.
Mobile security firm BlueBox claims to have discovered a 'master key' Android exploit that is said to be able to affect up to 900 million devices. To put it in perspective, that's a staggering 99% of all Android phones. With this Android exploit, this will enable hackers to modify APK code without sounding off the alarms of an app's cryptographic signature. This gives the bad guys the ability to turn any legitimate application into something nasty, like a malicious Trojan which will go unnoticed by the Play Store, the device, and of course, the user. The vulnerability affects Android phones that have been released since 1999.
This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
By using this method, the folks at BlueBox were able to trick Android when it checks for cryptographic signatures, so any malicious changes will go unnoticed. Marc Rogers, principal security researcher at mobile security firm Lookout, was also able to replicate the attack and thus, its ability to compromise Android apps has been proven.
Fortunately, Google has already been informed of the Android exploit, prompting the company to take the appropriate steps to one-up its security measures. More checking systems have been added to the Play Store designed to detect and stop apps that have been compromised using this method.
For the meantime, Google has yet to make a comment regarding BlueBox's discovery. [via BlueBox]Contact Us for News Tips, Corrections and Feedback