Google has released a fix to its Android OEMs for the master security hole unearthed by Bluebox Security, according to ZDNet. The publication gained confirmation from Google’s Android Communications Manager, Gina Scigliano, yesterday that “a patch has been provided to our partners”. She also told it that “some OEMs, like Samsung, are already shipping the fix to the Android devices”.
We’ve reached out to Google with additional questions and will update this post with any response. The flaw apparently allows a hacker to turn a legitimate app into a malicious Trojan by modifying APK code without breaking the app’s cryptographic signature. Google has already modified its Play Store’s app entry process to scan for the exploit so apps that have been modified using this vulnerability can no longer be distributed via Play.
Bluebox Security discovered the hole in Android’s code base — which it claims potentially affects 99% of Android devices — back in February, and disclosed it to Google at that time, but only made it public last week. Samsung’s Galaxy S4 was named then as one Android device that had already been patched — so it’s likely that handset is the device Scigliano is referring to when she cites Samsung already shipping a fix. We’ve asked Samsung to confirm which other handsets, if any, it’s now shipping fixes for.
The problem for Android users is that even though Google has now apparently released a fix to its OEMs, they still have to wait for the maker of their particular handset to implement and ship the fix — and potentially also for their carrier to test it with any skin or additions they have added on top of Android before they too release an update. Having to hang around to get updates is a byproduct of the openness and fragmentation of the Android ecosystem.
Still, it doesn’t sound like this particular Android flaw has been widely exploited thus far. Scigliano told ZDNet: “We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue – and Verify Apps provides protection for Android users who download apps to their devices outside of Play.”