Security researchers from Bluebox Labs have claimed that they have discovered a four year old Android bug that could be exploited by malware to disguise themselves as verified apps and take over a user’s device. The researchers claim that the bug allows malicious software to change the code of an APK file without leaving evidence, which means that all that a user will have to do to be affected is install the app on a device.
The Bluebox team says that the bug has existed since Android 1.6 (Donut). However, a hacker can’t distribute the modified app through Google Play as the app store has been patched to verify the contents of all apps downloaded. It still appears to be a serious problem because installing apps from third-party sources, where security measures can be lax, is quite popular among Android users. In fact, in the recent past, Facebook experimented with serving updates directly to Android devices without using the Play Store. Also, Android devices that haven’t been updated are at risk from this vulnerability. Once the malware is installed using the bug, a hacker could take over the user’s device, steal personal data or use the device as part of a botnet attack.
Screenshot of an HTC phone after exploit.
As The Verge points out, this seems to be of especially greater concern for Android users whose handsets have stopped receiving official updates. Jeff Forristal of Bluebox Labs has said that Google was informed of the bug in February of this year but closing the security hole would be up to the manufacturers of individual Android handsets, “99%” of which could be affected. Forristal has revealed that the Samsung Galaxy S4 has already been patched but the Nexus devices have yet to receive the concerned security update.
If you have an Android handset make sure you have all the latest system and Play Store updates installed and also ensure that you only install apps from trusted sources.