Mobile security startup Bluebox Security is warning of an Android issue that makes 99% of all Android-based devices vulnerable to attack. The vulnerability would enable a hacker to turn legitimate apps into malicious software without the user realising.
In a blog post, Bluebox CTO Jeff Forristal wrote “The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”
The company says it notified Google in February and plans to reveal more details about the issue at the Black Hat USA 2013 security conference in a few weeks.
Although applications downloaded from the Google Play app store are protected from this type of manipulation, other apps on third-party sites could be exploited.
[More details: Kaspersky Lab Threatpost]