‘The Android master key,’ a vulnerability that could affect 99 percent of the world’s Android-powered phones and tablets has been unearthed within the Google-owned platform. Since more than 900 million Android devices have been activated, we’re filing this in the ‘major vulnerability’ folder.
Found by Bluebox Security ‘the Android master key’ could allow a hacker to turn virtually any Android app into a malicious “zombie”. In other words, malware could allow hackers to remotely capture data and control functions on a device — such as calls and messages — all without raising the attention of the phone owner, Google or the app developer.
CTO Jeff Forristal explains that the vulnerability dates back to Android 1.6 (aka its four-year-old Donut build). Forristal revealed the company found a method by which a hacker could modify an app’s APK code without breaking the cryptographic signature used to authenticate it.
In order words, apps could be loaded with malware but appear legitimate on the outside.
Since verified apps are granted complete access to the Android system and all applications on a phone, the security weakness is potentially huge, although it remains theoretical since it is unclear how malicious apps and updates would be served to users.
Apps listed on the Google Play store are immune from this tampering, so a hacker would need to lure a user into downloading a malicious version of an app in other ways, perhaps via a third-party app store or fake app links. A phishing email with a link to a fake update for a popular app, for example, might generate some downloads.
Bluebox Security reported the hole to Google in February and already the issue has been fixed for the Samsung Galaxy S4, while Google’s own Nexus range is being looked at. Most worryingly, the issue could affect older devices that are no longer updated with new Android builds.
A report released last month claimed that mobile malware is an increasingly profit-driven business. The research firm found that 92 percent of mobile malware targets the Android platform — according to its estimates, the number of malicious mobile malware jumped 614 percent between March 2012 and March 2013 to account for more than 250,000 apps.