Google releases fix to OEMs for Blue Security Android security hole

Summary:Google has found a fix for a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into Trojan malware.

It doesn't get much scarier than this. Bluebox Security claimed to have discovered a vulnerability in Android's security model that could allow attackers to convert 99 percent of all applications into Trojan malware . Google has told ZDNet that the hole has been patched and that it has been released to original equipment manufacturers (OEM)s.

android-security

Bluebox Security CTO Jeff Forristal had said that this Master Key vulnerability has been "around at least since the release of Android 1.6, [and] could affect any Android phone released in the last four years — or nearly 900 million devices."

This security vulnerability is in how Android applications are verified and installed. Each application has a cryptographic signature, to ensure that the contents of an application have not been tampered with. The security hole, however, enables attackers to change the contents of an application while leaving the signature intact.

Gina Scigliano, Google's Android Communications Manager, said that while Google didn't have a statement, she could "confirm that a patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to the Android devices."

Thus, Android users will, as they always have, need to reply upon their hardware vendors for this update.

They may not need to worry too much. Scigliano added, "We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play."

Related Stories:

Topics: Android, Google, Mobile OS, Mobility, Security

About

Steven J. Vaughan-Nichols, aka sjvn, has been writing about technology and the business of technology since CP/M-80 was the cutting edge, PC operating system; 300bps was a fast Internet connection; WordStar was the state of the art word processor; and we liked it.His work has been published in everything from highly technical publications... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.