A mobile security company called Bluebox is claiming to have discovered a vulnerability in Android devices that could leave a staggering 99 percent of them open to an attack. Any device that has hit the market within the last four years could be susceptible to said attack, so only older devices are exempt.
The method involves modifying an app’s code without affecting its cryptographic signature. This allows the malicious app to insert code without drawing any attention. Thus, the attack would go unnoticed. From there, the exploit could be used to steal a user’s data or create dangerous botnets.
The specifics of the exploit was left under wraps, presumably so malicious individuals will not be able to figure it out as easily. Some details were given, mainly that this exploit would allow the app to use a sort of “master key” to get around the app’s cryptographic signatures, which is what verifies its authenticity.
Before you become too terrified, the vulnerability has reportedly been around since the release of Android 1.6 in 2009, and it has not cause widespread problems yet. Google has known about the issue since February, but the responsibility rests with the device manufactures to release updates that will fix the bug. So far only Samsung has issued the patch to the Galaxy S IV, but we expect other devices to follow its lead soon.
While scary, the important thing to remember is that this bug is not going to magically jump into your phone. The user does have to install a malicious app. Simply being careful about which kinds of apps you put on your phone or tablet will help keep your device protected from this, and most other exploits.