The Bluebox Labs, which is a security research team has recently traced a hole in Android’s current security model via which the hackers can easily modify the APK code without harming the cryptographic signature. The vulnerability by San Francisco’s Bluebox Security is basically a discrepancy in how an Android application is cryptographically verified and installed, which allows APK code modification without even breaking the cryptographic signature ..
Android apps are basically packaged as APK and signed via an encryption key in order to prevent the malware from making any changes to the code. These Signed applications are designed to empower the system to detect any sort of meddling or alteration ..
However, using the recently discovered vulnerability, a hacker can make the system believe that the changes in the application are still legal ..
A representative of the company was quoted by Appleinsider as saying, “A device affected by this exploit could do anything in the realm of computer malice, including become a part of a botnet, eavesdrop with the microphone, export your data to a third party, encrypt your data and hold it hostage, use your device as a stepping stone to another network, attack your connected PC, send premium SMS messages, perform a DDoS attack against a target, or wipe your device,” ..
The said hole has been there right since the release of the very first dessert version Android 1.6 “Donut,” which means that the flaw was in the install base of all the Android versions including Eclair, Froyo, Gingerbread, Honeycomb, Ice Cream Sandwich and Jelly Bean ..
What will can it do to your device?
Once the malware passed the Android’s app-signing model, it can easily obtain complete access to the Android system and all the data and other applications installed in the device like the email, SMS messages, documents, etc. and retrieve all stored account and service passwords. Later, the application can also overtake the usual functionality of your device like making phone calls, sending text messages and turn on the camera and record your calls ..
Reported to Google?
Yes, the BlueBox has already reported the bug to Google previously in February but it was left to the device manufacturers if they wanted to release a firmware update to curb this. Apparently, Samsung has already released a patch for its latest flagship Samsung Galaxy S4 ..