Android Master Key Makes 99% Of Android Devices Vulnerable
The love of writing and all things tech have proven to be the catalyst that has kept me going in this industry for the past decade. Here are to many more years ahead, at least until Android Vanilla Pudding is released!
Security is often the paramount concern for many of today’s tech savvy users, and the same applies to the mobile world, too. Just before you wonder how secure the Android operating system is, hold on to your seats as we reveal a shocker - Bluebox Security claims that they have discovered what they call the Android ‘master key’ that could eventually turn just about any Android app into a malicious “zombie” program, and this Android master key could eventually affect up to 99% of the Android-powered phones and tablets in the world. This does not bode well for Android at all, as it has been considered to be in pole position where malware is concerned.
One must take into consideration that over 900 million Android devices have already been activated in the past, so to find out that an Android master key can allow people armed with enough programming knowledge and tempered by malicious intent is a scary thought, clearly bringing this issue to the ‘major vulnerability’ level.
With this vulnerability in the Android platform, malware that is spread could eventually enable hackers to remotely capture data and control functions on a device, and these would include your phone calls as well as messages. These can even be achieved without raising an inkling of suspicion of the phone owner, and Google as well as the app developer will be kept in the dark, too.
BlueBox CTO Jeff Forristal did mention that this vulnerability can be traced all the way back to Android 1.6 - which is better known as Android 1.6 Donut. Forristal claimed that they discovered a method where a hacker could potentially modify an app’s APK code without having to break the cryptographic signature that is used to authenticate it. In plain and simple English, apps can be loaded with malware within, all the while being cleared as legitimate on the outside. Of course, there is still a glimmer of hope for users, as this potentially explosive situation remains theoretical as it remains unclear how malicious apps and updates would be served to users.
As a user, I guess one of the main ways you can take preventative steps would be to remain true to official apps stores for downloads, and only frequent third-party app stores if you really have to. It is nice to know that Bluebox Security has already reported this flaw to Google back in February this year, and the issue has been fixed for the Samsung Galaxy S4, and a fix for Google’s own Nexus range is in the pipeline. The main worry should come from older devices that will no longer receive newer versions of the Android operating system.