While we have seen many Android bugs earlier, this one – which has been discovered by Bluebox Labs – is a nasty one it seems, and it’s been here for four years making devices running Android 1.6 Donut and later vulnerable to malicious Trojans. The bug, which apparently affects “99 percent” of devices running on Android, allows malicious code to be installed inside an existing program without the knowledge of the user.
According to Bluebox, there is a way to modify an app’s APK file without harming its cryptographic signatures. This could allow an attacker to make use of a modified software package to cause the installation of malware.
Of course an attacker will not be able to use the Google Play Store to distribute malicious updates, but could make use of third party app stores, phishing emails, or malicious websites to lure unsuspecting users. The malware update recognized as verified could allow an attacker full access to the system for acquiring info about the user, or adding the device into a botnet.
The Bluebox team reportedly notified Google about the bug back in February this year. According to Bluebox Chief Technology Officer Jeff Forristal, Samsung’s Galaxy S4 has received a software fix, but Google is still working on a software patch for the Nexus devices.
But whether you receive the software fix or not, it seems the best way to stay out of trouble is, of course, not to go for downloads from suspicious websites or people. More details about Bluebox’s study will be revealed at the Black Hat security conference in Las Vegas.