Since Android 1.6 — also known as Donut — a security vulnerability has been quietly hiding in the mobile operating system for nearly four years. It allows someone to create a malicious version of a legitimate Android app without triggering any warning bells. Here's what you need to know about this recently discovered vulnerability (which can potentially affect most current Android devices).
Every single Android app has a cryptographic signature which is used to verify that it's legitimate and hasn't been tampered with or modified in some way. This is how your phone knows that it shouldn't overwrite Angry Birds with another app that is trying to pass itself off as the popular Rovio game, for example.
As long as you're downloading apps from Google Play, the tech giant's own app store, everything's fine. Google has made sure that no modified versions of legitimate apps can be made available through Google Play.
But if you're willing to check the "Unknown Sources" permission box in your Android settings and download apps from third-party markets ... well, that's another ballgame.
During a presentation at the Black Hat security conference, Jeff Forristal, CTO of Bluebox Security, indends to break down exactly how someone can "turn any legitimate application into a malicious Trojan" in a way that'll make virtually impossible for a user to notice that something is wrong.
The reason this vulnerability is particularly frightening is that it means someone could create a modified version of one of the Android system apps, which have permission to access just about anything on your device. If you download the malicious app, Forristal, explains, it would replace the legimitate one, and suddenly it "not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account and service passwords, [but] it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)."
Sounds scary, right? But not everyone thinks that it's time to panic just yet. "The risk is when users install applications from third-party websites," Chester Wisniewski, a senior security adviser at Sophos, tells NBC News via email. "This practice is ALWAYS dangerous, this just makes it extra difficult to determine if an app has been tampered with. It should be assumed that an app HAS been tampered with anytime it is acquired from a source other than the original manufacturer or the Play Store."
We've contacted Amazon to see what steps it has taken to protect its own Appstore from malicious apps. While we haven't heard back, Wisniewski has faith in the Web giant. "I have not seen any evidence of Amazon being less thorough than Google, but have not personally investigated their processes," he says.
Until all the details come out, what can you do to keep yourself (and your Android devices) safe? Well, you can don you tinfoil hat and not download any apps from sources other than Google Play. Additionally, you can go into your settings and find the setting which allows "installation of apps from sources other than the Play Store" or "from unknown sources" and uncheck it.
Want more tech news or interesting links? You'll get plenty of both if you keep up with Rosa Golijan, the writer of this post, by following her on Twitter, subscribing to her Facebook posts, or circling her on Google+.
First published July 5 2013, 10:18 AM