Google’s (NASDAQ:GOOG) popular Android smartphone operating system is reportedly vulnerable to a dangerous security flaw that would allow a hacker to create a fake application update, which after installed would allow them to gain access to literally anything and everything on a user’s smartphone.
The flaw was discovered by Bluebox Security research team Bluebox Labs, which claims that the vulnerability could be present on any Android phone released in the last four years, or up to 900 million devices. Hackers can use the flaw to turn almost any legitimate app into a malicious Trojan that could access any and all data on the phone while going unnoticed.
Bluebox outlined some of the risks Android-users could face. A Trojan could read all data on a device, access all passwords, send SMS messages and make phone calls from the device, turn on a device’s camera, and record phone calls. Bluebox added, “Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet.”
Android applications use cryptographic signatures that the phone uses to tell if an app has been altered or tampered with, but the flaw can allow hackers to change an app’s code without changing its cryptographic signature, meaning the Android device won’t notice that there’s anything wrong with the app.
Compounding the security risk is the fact that third-party device makers create apps that are given special privileges, like system UID access, on Android phones, so targeting those types of apps results in greater access for hackers. While Google’s Android is the most popular smartphone operating system, occupying almost 70 percent of the market, it is also the most highly targeted by malware. It’s been estimated that in 2012 seventy-nine percent of malware was written targeting Android. Coming in second was Nokia’s (NYSE:NOK) Symbian platform, with 19 percent.
Apple (NASDAQ:AAPL) iPhone aficionados can breathe a sigh of relief, as only 0.7 percent of malware threats were reported for iOS last year. While no Apple device is immune to malicious programs, Apple seems to be maintaining the strong anti-malware reputation the company has for its computers with its mobile operating system as well.
Bluebox said that the flaw was discovered back in February, and that the only way to protect against it is for device manufacturers to create and release firmware updates. Bluebox recommends that Android users be extra careful when downloading apps by making sure to identify the publisher, and be vigilant about keeping their devices updated.
According to the Huffington Post U.K., Samsung Galaxy S4 devices are reportedly not affected by the flaw, meaning the issue is being fixed although the patches are not yet widely available.
Google hasn’t yet commented on the flaw, although Bluebox did point out that it’s up to device makers to fix the problem, not Android or Google itself.
Follow Jacqueline on Twitter @Jacqui_WSCS