Android users – Start panicking now

Actually you probably shouldn’t panic quite yet. Things are being blown out of proportion as usual. Earlier on today details of a Android security hole appeared online, you know the normal stuff.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages


It can essentially take over the normal functioning of the phone and control any function thereof

So what is this all about? Well it seems a security research firm called BlueBox have discovered a so called “Master Key”, which it appears to give would be cyber thieves access to your whole device, be it an Android  phone or tablet. Jeff Forristal, the Bluebox  CTO says in their blog post that the implications of this are huge. Apparently the loophole has been present and unpatched in Android since 2009, which is a worry.

The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years– or nearly 900 million devices– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

And there is more info about the vulnerability

The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.

All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.

The panic is that if a Trojan app replaces a system app from a manufacturer, which is rather far fetched, the Trojan app would have access to everything and you’d have no idea. So what is the real world version of the story? Well if you use third party app stores like Amazon, you download APKs from warez sites, you download APKs from community forums, you’re going to have to be VERY careful in what you install. BlueBox have posted some recommendations of what to do.


  • Device owners should be extra cautious in identifying the publisher of the app they want to download.

  • Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.

  • IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.

I’d suggest you turn off “Unknown Sources” in the security section of your settings menu, also I’d stick to Play Store apps for a bit and not install any dodgy hacked games you don’t want to pay for as it could all end in tears.

All three links below have a whole lot more information if you want to read up on this whole debacle. As usual it is a case of a small portion of people actually being susceptible to the bug and certain people decide that it is a major problem and we should all panic. You shouldn’t. Although it does raise issues about why Google have not fixed it yet.

Source – BlueBoxBBC

Via – Android Central