Bluebox Labs, the research division of Bluebox Security, has discovered a vulnerability in Android’s security model that enables a hacker to modify APK code without breaking an application’s cryptographic signature.
The vulnerability, which has been present since the release of Android 1.6, also known as Donut, can turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone or the end user.
Bluebox CTO Jeff Forristal said: "The implications are huge!"
Forristal added that the vulnerability could affect any Android phone released in the last 4 years or about 900 million devices and,depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
Earlier this year, Bluebox Labs introduced Dexter, a free tool which helps researchers and enterprise security teams analyse applications for malware and vulnerabilities.
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.