The computer security company Bluebox unveiled a security flaw in the Android operating system that has existed since version 1.6 of the OS, released in October 2009, which could affect 99% of smartphones using Google's OS.
This security hole could install a Trojan on an Android device masquerading as an official application and can access all the information stored on the device, but also to control it. "The application is not only able to read application data randomly on the device (email, SMS, documents, etc..) to get all accounts and passwords stored, it can almost seize the normal phone operation and control any function of it (make calls and send text messages at random, turn on the camera and record calls), "says Bluebox.
For this, the company says that Android security applications contain a cryptographic signature that enables the system to check if the application is authentic and has not been modified by a third party. The flaw revealed by Bluebox system can change the application code "without affecting" the signature of the application.
The company does not, however, reveals how this can be exploited and claims to have warned Google. "It is up to device manufacturers to develop and deploy software updates for mobile devices," says Bluebox which will give more information at the Black Hat USA 2013 gathering from July 27 to August 1.
Here some recommendations from BlueBox to be safe :
- Device owners should be extra cautious in identifying the publisher of the app they want to download.
- Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
- IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.
