A security hole that allows nearly all Android applications to be turned into Trojan malware has been patched by Google. The vulnerability, identified by Bluebox Security, goes back as far as Android 1.6 and allows someone to change the contents of an application without changing its cryptographic signature. As a result, when the app is installed, Android cannot detect that the app has been modified.
Google confirmed to ZDNet that the vulnerability has been patched and that the fix has been released to device manufacturers. Gina Scigliano, Google’s Android Communications Manager, confirmed that a patch has been provided to our partners – some OEMs, like Samsung, are already shipping the fix to the Android devices.” For example, the Galaxy S4 has already been patched. She added that Google has yet to see any evidence of this exploit in Google Play and other other apps stores. “Google Play scans for this issue – and Verify Apps provides protection for Android users who download apps to their devices outside of Play.”
While Google has downplayed the severity of the issue, it highlights one of the major limitations of Android. With no centralized software update distribution mechanism, the fate of Android users is now in the hands of their manufacturers. With the vulnerability going back a number of years and affecting hundreds of million of devices, it is unlikely that all devices will be patched.
Should Google be responsible for security updates instead of its partners? And are you concerned about this vulnerability? Let us know below.
Source : ZDNet