4-year-old Android loophole could allow malware on 99 percent of all devices

A security company has discovered a loophole within the Android system that can compromise 99 percent of all devices, including smartphones and tablets….

Android is currently the world’s most popular operating system. Google recently announced that there are more than 900 million activated Android devices across the world. Now, a security company has discovered a loophole within the system that can compromise 99 percent of that number, which includes both smartphones and tablets.

Bluebox Security , the firm behind the discovery, has uncovered an “Android master key” which has the potential to let any hacker turn literally any Android app into a Trojan horse. This essentially means that a malware ridden app can allow hackers to remotely capture data and control functions on an Android device, such as calls or messages. Neither the phone user, nor Google or the app developer will come to know about the hack.

On the BlueBox Security blog, CTO Jeff Forristal has put a post explaining that the vulnerability has existed since Android 1.6: Google’s Donut build, which was released around four years ago. Forristal said that the company zeroed in on the technique used by hackers, which revolves around modifying an app’s APK code without needing to crack the signature used for authentication. This means that the app, which could be loaded with the malware, will appear completely normal and legitimate from the outside.

Cover

Android vulnerability may compromise 99 percent of all smartphone and tablets…

What is scary about this, apart from having your phone hacked without knowing about it, is the fact that verified apps are given complete and unrestricted access to the Android system as well as all the applications on a smart device. Thus, the potential ramifications of this security weakness are huge, although it is still to be determined exactly how the malwar-loaded apps and updates will be sent out to users.

Android users should be relived to know that apps which are listed on Google’s Play store are immune from this tampering, according to the security firm. Thus, a hacker will have to con a user into downloading a malicious version of an app, maybe with a third-party app store or even fake app links. There has been a huge jump in the number of malware related attacks levied against Android devices in the last year. Apart from that, the number of phishing attacks registered in the last year have also increased significantly.

Thus, a phishing email which links a fake update for a popular app might be something that hackers turn to. The easiest way to avoid this is to use official channels for app downloads. However, there are countries where the Play Store is still not available.

The loophole was first reported to Google by the security firm in February, according to CIO . Google has not been idle about this, though, with reports coming in that the company has addressed the issue for the Samsung Galaxy S4 and is currently looking to its own Nexus range. The fact that older devices, which are no longer updated with newer Android builds, can be compromised is a big worry that Google may need to address soon.