A team of security researchers claim to have identified a four-year-old Android bug that can allow malicious trojans to appear as verified apps, infecting devices with malware while users remain unaware of its presence.
Usually, apps are verified using cryptographic signatures: modified updates are thus rejected if the key doesn't match the one provided by the software developer. But the team, from Bluebox Labs, have found a way to modify an app's APK file without breaking the signature—which means malicious code can easily be injected and users never made aware.
The team claims the bug has existed since Android 1.6 Donut, and that it affects 99 percent of devices which use the OS. Google was notified of the bug in February 2013, but because of the way Android updates roll out it's up to device manufacturers to offer users a patch for the vulnerability. Apparently the Galaxy S4 has already been updated—but weirdly Google's Nexus line remains a work-in-progress.
Of course, before you panic too much it's worth noting that, even if malicious code can be injected into an already verified app, the software has to find its way onto your phone. And if you're exclusively using the Play Store it's not clear how that would happen—unless you're tricked into downloading bogus updates from third-party app stores or the web. The take home: be careful when you stray from Google's safe haven.
Bluebox will present the research later this month at the Black Hat security conference in Las Vegas. [Bluebox via IDG via Verge]