The company Bluebox security, has found a security hole in Android’s operating system. What’s even more scary about this news is the report states that this security hole has been around since Android 1.6 Donut. Apparently what can happen is malicious developers can change the APK of a legitimate company, without any breaks to its cryptographic signature. This basically means that if an app is hacked on Android, the user would not know and could be entering their information and sending it to the malicious hackers unknowingly.
Android apps (packaged as an “APK”) are signed with an encryption key (just like iOS apps) to prevent a malicious party from changing the code. Signed apps are expressly designed to enable the system to detect any tampering or modification.
Since verified apps are granted complete access to the Android system and all applications on a phone, the security weakness is potentially huge, although it remains theoretical since it is unclear how malicious apps and updates would be served to users.
Apps listed on the Google Play store are immune from this tampering, so a hacker would need to lure a user into downloading a malicious version of an app in other ways, perhaps via a third-party app store or fake app links. A phishing email with a link to a fake update for a popular app, for example, might generate some downloads.
If Google has not done anything up to this point, it makes you wonder if they taking this security issue as seriously as they should. Smartphone malware is becoming a huge problem and in order to prevent threats, the security companies along with the OS developers must work together, to stop this ongoing threat.
As SlashGear reports, according to Bluebox, it informed Google of this Android vulnerability in February of this year. To take care of the issue, every device manufacturer will need to create a patch and roll it out to its users, who will then need to install it. The security firm says it will release “tools/material” and more info about this vulnerability during Blackhat USA 2013, which takes place later this month.