An Android security flaw that can turn your mobile into a zombie device and create a botnet, access personal data or worse has been uncovered by Bluebox. According to estimates, this bug puts 99% of smartphones running on Google’s OS at risk, for it has been hanging around since the release of Donut 1.6.
In figures, the newly discovered Android security threat could leave almost 900 million smartphones open to attack. The vulnerability can basically let hackers change an APK code without breaking the associated app’s cryptographic signature. Since the means by which the application is verified is not altered, the malicious program can go undetected and be used for anything from stealing individual information to building botnets.
If a Trojan app like this was to find its way into distribution right from an unwitting device manufacturer’s hands, it could actually wield the power to control an Android gadget. The program would be able to send messages, record calls, dial contacts randomly, turn on the camera and so on. It’s a step further from trouble makers being given a convenient tool to read texts, mails, account details and passwords without the user’s knowledge.
In the blog post revealing this vulnerability, Bluebox CTO Jeff Forristal notes that Android security bug 8219321 was disclosed to Google back in February 2013. Let’s hope that manufacturers take note of the issue and look in the direction of releasing firmware updates to fix it. After all, Mountain View’s mobile OS is the biggest competitor to Apple and its penetration in all segments of the market leaves too many users’ data open to exploitation.
The Bluebox findings surrounding this security vulnerability will be presented at the upcoming Black Hat USA 2013 event.