A software vulnerability that has existed in Android since the release of Android 1.6 Donut can allow attackers put malicious apps on almost every Android device (99 per cent).
Mobile security firm Bluebox on Wednesday noted in a blog post that this vulnerability has been revealed to Google in February this year but Samsung Galaxy S4 is the only phone to get patched with a fix till now.
Normally Android applications are verified using cryptographic signatures, so the operating system rejects updated versions of the apps if cryptographic signatures don’t match but Bluebox has found a way to modify the apps without breaking the cryptographic signatures.
“This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been,” Bluebox stated in the blog post.
While there is no way for an infected app to reach users’ Android device if they always use Google Play (also updated) for downloading apps or updating them, the risk is very high for the users of third-party stores or consumers who install APK files from unknown sources.
Depending on the access level, infected apps could send email, SMS, others personal data or even saved passwords to the attacker. Bluebox plans to release the details of this vulnerability at the Black Hat USA 2013 talk.
With Google and manufacturers already aware of the bug, it is up to them now to patch the devices via software updates.