Researchers at Bluebox Security say they have found a major vulnerability in Android’s code that could affect upwards of 900 million devices. Yes you read that right, almost all Android devices, released in the last 4 years could be affected.
The security flaw would allow a digitally signed Android application to be modified without breaking its cryptographic signature – showing up as legitimate and untouched. This could allow hackers to inject malefic code in certain apps that would then pass off as legitimate and secure.
This technique would allow hackers to do almost anything on a compromised device: from a benign jailbreak, to obtaining secure passwords, account information and so on.
Bluebox will make the vulnerable code public at a conference in Vegas on the 1st of August but some handset vendors have already taken steps to address the problem, while Google will release a patch for AOSP soon.
The good news is that the problem is easily fixable with only two lines of code, the bad news is that Android is notoriously unreliable when it comes to updates due to OEMs and carriers. Let’s hope, for everyone’s sake, that for once the firmware updates do make it in time.
Source: Threatpost | Image courtesy of PocketNow