An Android security hole that exists from last four years recently uncovered by the Mobile security concern Bluebox. The Bluebox Security team has reported about the recently discovered vulnerability in a blog post. The team has discovered that the Android security hole existed since the release of Android 1.6 (Donut) and the team claimed that the vulnerability could affect 99 percent devices across the world.
According to the security team, the vulnerability is exist in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature. This process turn any legitimate application into a malicious Trojan without even noticed by the end-user or the Play Store itself.
The risk reportedly compounded with the applications developed by the device manufacturers or third-parties that work in cooperation with the device manufacturers. Generally, an application must need a cryptographic signature in order to get published on Google Play Store, otherwise the app gets rejected automatically. And in addition, after getting a cryptographic signature the app cannot get any further modification. But in contrast, the discovered vulnerability allows to modify the APK coding without breaking the cryptographic signature. The vulnerability could turned into a malicious Trojan if attackers modify the code of any authenticated app.
Bluebox has stated that the security team has disclosed the Android security bug 8219321 with Google team in February this year. Now OEMs would have to provide an update in this view to overcome the vulnerability.
Users only have to install apps from Google Play Store and also updates accordingly to get on a safer side. The vulnerability risk is highly possible when users install apps from third-party sources and when installing any APK file directly from any unknown sources.