Researches at Bluebox have revealed an Android security vulnerability that could allow attackers to take full control of almost any smartphone running Google’s Android operating system without the knowledge of the app store, the phone or the end user.
The vulnerability has apparently been around since the release of Andriod 1.6 (Donut). So the weakness could possibly affect any Android phone released in the past 4 years. The weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven’t been modified by parties other than the trusted developer. Exploiters of the vulnerability can modify app code to include backdoors, keyloggers or other malicious functionality without changing the verification signature.
Bluebox has claimed to have notified Google of the Android security exploit in February, and according to CIO, Bluebox CTO Jeff Forristal has named the Galaxy S 4 as the only device that is immune against the exploit. Google is supposedly currently working on an update for its Nexus devices.
Sources: Engadget.com ArsTechnica.com Bluebox CIO