Failure existing four years ago can affect 99% of Androids
Bluebox researchers say they have discovered a security flaw in Android that has existed for at least four years, since version 1.6 Donut. The vulnerability, which allows you to install malicious applications on the user's smartphone, can affect up to 900 million units, according to the company.
It works like this: as a security measure, Android checks the encryption keys of the applications to make sure they did not have malicious code injected if the keys are changed, the update is blocked. With the failure, you can modify the application without breaking these security keys, causing considered legitimate software from infecting your machine.
Bluebox but still does not explain how the attack can happen in practice. According to The Verge, you can not take advantage of the flaw using the Play Store, since Google updated the store. The user could be infected if you use third-party app stores or tap malicious links and be with the option "install application from unknown sources" enabled.
More details about the failure must be submitted during the Black Hat conference in Las Vegas, what happens at the end of the month. According to the technical director of Bluebox, Jeff Forristal, vulnerability is no longer present in the Galaxy S4, but oddly Google would still be working on a fix for the Nexus.
According to Bluebox, this allows for a series of attacks: A malicious person can steal data or to create a botnet of smartphones, to attack servers or send spam. In some devices, a trojan with total access system can capture passwords, make calls without the consent of the user and record calls.