Security research firm BlueBox claims to have found a “master key” that could give the bad guys complete access to almost any Android phone.
The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.
The loophole has been present in every version of the Android operating system released since 2009.
Google refused to comment to the BBC on BlueBox’s reported discovery.
Jeff Forristal, in a post on the BlueBox blog, said the implications of the discovery were “huge.”:
This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years – or nearly 900 million devices – and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.
The Android OS uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. The folks at BlueBox have reportedly found a method to trick Android when it checks these signature, so any malicious changes to an app go unnoticed.
Any modified version of the app would have the same access to a device that the legitimate version would have.
Marc Rogers, principal security researcher at mobile security firm Lookout said it had replicated the attack and its ability to compromise Android apps.
Google has been informed of the bug, and is reported to have added checking systems to its Play store to spot and stop apps that have been tampered with using this method.
Android users can breathe a little easier, as there is no evidence, as yet, that the exploit is being used by cyber-thieves.