A doozy of an Android bug has been discovered by Bluebox Security's Bluebox Labs, one that affects all Android releases since 1.6 Donut. With the vulnerability, malicious coders can create a trojan application to serve whatever purpose they'd like, whether to steal a user's information or take over control of the device. More information will be given at Black Hat USA 2013 in a keynote speech.
According to Bluebox Labs, because of how many versions of Android are affected, a potential 900 million devices could suffer from the vulnerability, which involves a means for modifying APK code without harm to the app's cryptographic signature. As such, a perfectly legit app can be converted into a trojan that slips under the radar.
The company goes on to specify that apps developed by the handset's makers pose a greater risk due to their elevated privileges. Because of this, one of these apps that are exploited and turned into a trojan can give the hacker complete access to the mobile OS's apps and system, as well as all their related data. The ramifications of this are two-fold:
Depending on the intent of the hacker, personal data like text messages, emails, any documents on the device, account passwords that are saved, pictures, and other related items can be swiped, potentially giving access to things like bank accounts and revealing contacts' information. In addition, this can be taken a step further so that the hacker has the ability to use the device to send text messages, snap pictures, record videos, make phone calls, etc.
In an extreme case, the vulnerability could be used to create a botnet.
According to Bluebox, it informed Google of this Android vulnerability in February of this year. To take care of the issue, every device manufacturer will need to create a patch and roll it out to its users, who will then need to install it. The security firm says it will release "tools/material" and more info about this vulnerability during Blackhat USA 2013, which takes place later this month.