Google says that it has released a fix to Android phone makers that will squash a big, big bug in the operating system. That huge bug left a massive hole for hackers to turn almost any official app into a Trojan Horse, and it affected nearly every Android smartphone that has been produced in the last four years.
The Mountain View giant said it had already modified its Play Store to make sure that such Trojan Horse apps aren't distributed through official means, making third-party app installations a risky proposition for Android users. Google also said that it was passing the bug fix onto the OEMs - or original equipment manufacturers - that make Android devices. Google can "confirm that a patch has been provided to our partners," Gina Scigliano, Android Communications Manager said in a statement. "Some OEMs, like Samsung, are already shipping the fix to the Android devices." However, depending on manufacturers to patch the bug may leave some Android owners out in the cold.
Uncovered months ago by cybersecurity research firm Bluebox Labs, news of the bug hit the web last week. The problem, which affects approximately 99 percent of Android smartphones, was a vulnerability in Android's code going back to Android 1.6 "Donut," which was released in September 2009.
The problem was with the Android code relating to installing files, which would allow hackers to modify the code in Android application package files, or ".apk" files. These files are used to distribute, verify, and install application software onto Android devices. Modifications to application package code could be made without breaking the application's cryptographic signature, meaning that any changes could go unnoticed by the system.
This means hackers could potentially use the Android bug as a master key, or as Jeff Forristal of Bluebox Labs put it, "to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone or the end user." When Bluebox security noticed the vulnerability in February, the company alerted Google to the problem.
Now that Google has released a fix for the security flaw to Android OEMs, Android users will have to wait for their manufacturers to apply the fix in an update. This may be a problem for people who own so-called "legacy" devices, which run a version of Android that is new enough to be affected by the bug (that's a lot, since any Android phone sold in the last four years qualifies), but old enough that it's not a manufacturer's priority to mend. According to TechCrunch, the Samsung Galaxy S4 is the one named Android device that has already been patched.
Still, Android users should theoretically be safe if they limit their app downloading to the Google Play app store, as Google has fixed the issue and never saw the weakness exploited (however, the Register supposedly found an example of the weakness, at least in code, at GitHub). "We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools," said Gino Scigliano to ZDNet. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play."
Check back with LatinosPost for more information on patches for this scary Android bug, as the various phone makers announce their availabilities.
- Contribute to this Story:
- Send us a tip
- Send us a photo or video
- Suggest a correction
