Bluebox Security’s Bluebox Labs has discovered an Android Bug that exist since the Android version 1.6 Donut released back in 2009. Android has been open source project. That brings the ability to develop apps and sell them in Play store or any third-party App store. Although Google takes care of apps being safe for the users while digitally signing them, but when you try to download apps from third-party app stores, you can compromise the safety of your device easily.
Lets see how does this actually happen and how this can lead to hacking of your device.
Android applications uses cryptographic signatures that system records when you install the app. The further updates of the app needs to have the same cryptographic signatures. The hackers can use the app with this legitimate cryptographic signatures, modify the app by adding malicious code, and then distribute it using unreliable third-party app stores. When the user installs the new version of the app, the new app works as Trojan (pretending what it is not) and based on the intents of the hackers and permission given to the app by the Android system, the app can take control over many critical areas of the system.
What can be hacked or compromised:
According to the researchers at Bluebox Security, the hackers can jailbreak the device, gain access to all the system features, create botnet that can create any legitimate app into trojan. Moreover these trojan or malicious apps can retrieve passwords, account information, credit and debit card information from the device, take control over phone, SMS,email or hardware like camera, microphone features and even on the operating system.
Who are affected by this vulnerability:
Over 900 million Android devices(tablets and phones) running on Android version 1.6 or later including Jelly bean. The only device that has fix to this bug is Samsung Galaxy S4 according to GSMarena.
How is Google dealing with this problem:
Google acknowledged that Google developers and device manufacturers are aware of this glitch and soon a patch will fix this issue in upcoming software updates.
Google has also confirmed that there are no existing apps on Google play that might exploit this vulnerability, Google uses extreme precaution and safety measures while dealing with these kind of apps on Play Store.
Prevention is better than cure, how to be cautious:
Since every Android device running Android version 1.6 or later (except Galaxy S4) have this bug, users should avoid downloading apps from unreliable third-party app stores that offer cracked apps /paid apps free or freeware. Although the app might look safe according to the digital signatures, but it might have malicious code embedded within the original code.
Take utmost care while doing online transactions using third-party apps, never try to use credit card/ debit card or account information with apps that were not installed from secure and trust worthy app store.
And last but not the least install any good antivirus app and uncheck the app install from unknown markets option in security under system settings of android , try to buy pro versions than relying on free antivirus apps that delivers more security features as compared to free versions.
Keep checking for new software update, sooner or later device manufacturer are going to patch the bug.
Image courtesy: thehackernews