Mobile security startup Bluebox Security has unearthed a vulnerability in Android’s security model which it says means that the nearly 900 million Android phones released in the past four years could be exploited, or some 99% of Android devices.
This security loophole could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.The loophole has been present in every version of the Android operating system released since 2009.
Writing on the BlueBox blog, Jeff Forristal, said the implications of the discovery were "huge".
The bug emerges because of the way Android handles cryptographic verification of the programs installed on the phone.
Android uses the cryptographic signature as a way to check that an app or program is legitimate and to ensure it has not been tampered with. Mr Forristal and his colleagues have found a method of tricking the way Android checks these signatures so malicious changes to apps go unnoticed.
Any app or program written to exploit the bug would enjoy the same access to a phone that the legitimate version of that application enjoyed.
"It can essentially take over the normal functioning of the phone and control any function thereof," wrote Mr Forristal. BlueBox reported finding the bug to Google in February. Mr Forristal is planning to reveal more information about the problem at the Black Hat hacker conference being held in August this year.