Bluebox a stealth start-up company that is dedicated to the cause of tackling problems related to mobile security recently identified a 4 year old Android Bug that could malign security in 99% of Android devices. According to the Bluebox team of security specialists, the bug is present ever since Android 1.6 was released. Google was notified of this bug in February this year, however the problem has not been proficiently addressed.
Generally when an application is modified with an update, it is verified using cryptographic signatures. And if the key fail to match the one provided by the developer at the time of submission the changes are rejected. But what the team at Bluebox Labs has identified is that there is a way which an application APK file can be compromised without breaking the cryptographic signature. This suggests that an application can be infused with suspicious codes without the user being aware of it.
This revelation can be a big reason to panic, considering the popularity of Android devices. There are at least 900 million Android devices out there. Out of which many of it is used by professionals and people who use the device to transmit several sensitive information and data such as bank details, consumer report, personal data etc. If, a hacker is successful in exploiting this bug it has the potency to cause a lot of damage on a number of devices, such as:
1. To begin with installation of Trojan app can make the device susceptible to uninterrupted access to Android system and other application along with its data that are currently installed on the device.
2. The Trojan app can not only interpret data from the application of the device such as email, Text messages and files but also secure password and information of apps that are synced from on the phone.
3. The malicious Trojan app can claim the normal functioning of the Android device and control function such as make phone calls send texts, turn on camera and even record calls.
4. Hackers can also exploit the arbitrary and malicious Trojan apps to create botnet, which can be a real source of worry to the users.
Having said that even if a malicious code is infused into an existing application which is verified and accepted, the software will still have to determine a route to the phone. Users who use the guarded boundaries of Play store to download an application there is no way this malware will finds its way to your phone. However, if tempted to click on fake and dangerous updates from a third-party app store or the web there is a good chance that the malware will infiltrate on to the phone. Therefore, users are strictly advised to not click on any suspicious or third party links whatsoever.
This problem again re-surfaces the long ridden issue of Android fragmentation. The biggest problem with Android OS is that a number of users are still using older version of the OS as most manufacturing companies fail to send out timely updates to the devices. Although Google had been intimated of this problem, it is now up to the manufacturer companies to address to the problem. Samsung Galaxy S4 is one device where the problem has been fixed. Ironically this problem is yet to be rectified in Google Nexus devices. For those who are aware of the problem must remain wary of clicking on disputed and malicious links as of now. Since, we try to accomplish so much from our phones; there is a lot of sensitive information on our phone. If, these information falls in wrong hands it has the potency cause much damage.