Google’s (NASDAQ:GOOG) popular Android smartphone operating system is reportedly vulnerable to a dangerous security flaw that would allow a hacker to create a fake application update, which after installed would allow them to gain access to literally anything and everything on a user’s smartphone.
The flaw was discovered by Bluebox Security research team Bluebox Labs, which claims that the vulnerability could be present on any Android phone released in the last four years, or up to 900 million devices. Hackers can use the flaw to turn almost any legitimate app into a malicious Trojan that could access any and all data on the phone while going unnoticed.
Bluebox outlined some of the risks Android-users could face. A Trojan could read all data on a device, access all passwords, send SMS messages and make phone calls from the device, turn on a device’s camera, and record phone calls. Bluebox added, “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet.”
Android applications use cryptographic signatures that the phone uses to tell if an app has been altered or tampered with, but the flaw can allow hackers to change an app’s code without changing its cryptographic signature, meaning the Android device won’t notice that there’s anything wrong with the app.