A newly discovered security hole could affect as much as 99 percent of the Android userbase. According to security researchers at Bluebox Labs, a bug that has existed since Android 1.6 allows for third-party sources to modify an application without breaking its cryptographic signature. Translated, this means a hacker could theoretically push malware to a device in the form of an update to an app legitimately installed on a handset.
There would still be a few hurdles to clear to make this a reality, such as devising a means to deliver the update to a user’s handset. It would not be possible through the Google Play Store, but could possibly be achieved through a third-party app store or bogus website. If a hacker could trick users into installing the disguised malware, they would have free reign to deploy any number of existing or new Android trojans.
Bluebox has already alerted Google, but it seems there is little being done. The Android maker is leaving it to device manufacturers to address the issue, which is apparently the case with Samsung. Word is they have patched the issue with the Galaxy S4. Google’s Nexus 4, on the other hand, remains vulnerable.
[via The Verge]