Google had four releases of Android in 2009, but Bluebox clarified by saying that the vulnerability exists in Android 1.6 (Donut) and later. Android versions 1.1, 1.5 (Cupcake), and 2.0 (Eclair) were also released in 2009.
Writing on the company blog, Jeff Forristal, Bluebox CTO called the implications huge. 99 percent of Android users are affected, the company said. The vulnerability allows a hacker to modify an APK's code without breaking an application’s cryptographic signature, which means it is possible for a developer to turn any legitimate application into a malicious Trojan, unnoticed by the Play Store, the device, or the end user.
While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access.BlueBox provided a screenshot in which they modified the system-level software information about an HTC device (shown) such that the company's name appears in the baseband version string, which is normally controlled and configured by the system firmware.
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
Bluebox said that it had reported the bug to Google back in February. Forristal said the company plans to reveal more information about the issue at the Black Hat hacker conference being held in August this year.
Security firm Lookout said it had replicated the scenario, confirming Bluebox's report.
Google has not issued a statement on the problem, as yet.