July 17, 2013
The Java-based vulnerability, discovered by the Android Security Squad, is similar to the master key vulnerability uncovered by Bluebox Security less than two weeks ago that enables hackers to not only access data and passwords, but to take over the normal functioning of the device.
According to the Android Security Squad, this new threat capitalizes on a vulnerability in the way Android reads APK files. This, in turn, allows hackers to modify legitimate apps, turning them into a malicious Trojan without anyone the wiser.
According to Bluebox, the vulnerability it discovered has been kicking around for the past four years so, potentially, any Android phone released during that time period — that is 900 million devices — could be targeted.
The Android Security Squad did not indicate how long the flaw it discovered has been in operation.
Meanwhile, security company Webroot has teamed up with ReKey, a partnership between Northeastern University in Boston and online security company Duo Security, to release a patch that protects vulnerable Android-run devices.
The ReKey app not only applies Google patches, but alerts users if an another app tries to install itself using the vulnerabilities.
“We have been diligently working on protecting those not yet covered by patches or updates, and finding a solution for older devices as well,” Webroot wrote on its blog.
“We are happy to report we have the solution! The newest version of Webroot SecureAnywhere Mobile with a patch for the “Master Key” bug can be found on the Google Play store now: Webroot SecureAnywhere Mobile.”