Last week, Bluebox Security, a security firm, uncovered a 4 year old vulnerability in Android’s security system. According to Bluebox, the vulnerability allows a hacker to modify the APK code of an Android application without breaking its cryptographic signature, making its potential harm undetectable by the Android security and authentication system.
According to Bluebox this vulnerability has been around for at least since Android 1.6 and could affect any Android device released in the last four years or potentially over 900 million Android devices.
Cryptographic signature enables Android to verify whether an app is legitimate or whether it has been tampered with. Modifying an app should change its signature allowing Android to detect any changes. However, this vulnerability allows for a hacker to modify an app without breaking the signature, deceiving the Android security system, the phone, and/or the app store into thinking that the app is unchanged.
Bluebox security revealed that with this vulnerability, a hacker can install a malicious Trojan as a legitimate app and use it to read data like SMS, emails, and documents from Android devices. They can even turn on your camera and take photos with it as well as record your calls, retrieve your saved passwords, send SMS, and make calls with your Android devices.
Google has fixed the Vulnerability, But
However, Google has fixed the vulnerability and has sent patches to its OEM partners. Bluebox claims it alerted Google of the vulnerability since February, so the company has had ample time to rectify the problem. According to reports, Samsung and a few other OEMs have already started shipping devices running the fixed Android. However, existing devices remain vulnerable until OEMs and carriers release updates.
Given the fragmentation and customisation involved in Android, this update may take weeks, months or even forever to get to existing Android devices. The situation for Android users in Nigeria may even be more hopeless, given the reputation of some of the Android vendors that operate in the country. So, it is your duty to protect yourself.
For now Google has upgraded the security at the Google Play Store to identify apps exploiting this Android vulnerability. This means that downloading your apps from the Google Play Store will keep your device safe for now. Downloading your apps from unofficial Android stores increases the chances of your Android devices being affected by this vulnerability.
So, if you are in Nigeria, stick to Google Play Store.