Major security hole found in Android architecture

Due to its open-source nature, Google's Android OS has always been more vulnerable to malicious attacks compared to Apple's iOS or Windows Phone. That doesn't seem to be getting any better either, as a group of researchers have stumbled upon a major hole in the OS, one that could affect up to 99% of devices.

According to the security research team at Bluebox labs, a vulnerability in Android's security model allows APK modifications that convert a legitimate application into a malicious one. This modification occurs without changing the cryptographic signature, which means that neither the app store, user or application are even aware of any wrongdoing.

Using this hole, the infiltrator ends up with access to all of the smartphone's functions, rendering sensitive information and VPN access ripe for the taking. Even worse, this hole has been present since Android 1.6 Donut, and the Galaxy S4 appears to be the only device that's been patched.

Although the hole is disturbing on its own, the issue is further complicated by the numerous Android manufacturers, each having a unique release cycle. As such, every device manufacturer would have to issue their own update, increasing the time it would take to fully eradicate the issue. More details about the issue are available on the Bluebox website, but a lengthy discussion is also scheduled for the Black Hat USA conference at the end of this month.

Source(s)