I don't know shit about tech or security issues, but I see plenty of threads here with members chewing the fat about new smart phones and the like so I thought this might be of interest.

I won't try to paraphrase the article, as I'd just muddle it up so here's the opening paragraph (http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/)

"The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years1 – or nearly 900 million devices2– and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."

Another article from the BBC (http://www.bbc.co.uk/news/technology-23179522) which says Google had "no comment" on the story.

Convenient that the original article is now MIA..

Google "android master key." There's another rather detailed article on TechCrunch.

Sent from my Kindle Fire using Tapatalk 2

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/


Convenient that the original article is now MIA..

http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/

Thanks, Honu. I've replaced the link in the OP with this one.

Generally these groups alert the primary parties first when they find these issues.

IOW, contact Google, contact the apps store or whatever. Then they expect them to fix the problem which is often done fairly quickly. Then if they get no response or it appears the consumer is being deceived they release the info to protect themselves.

People used to get pissed at MS for taking way to long to fix problems where Apple would react immediately.

Also the fact that these guys have found something that has existed for years doesn't mean it's been exploited for years. It means it will now start to be exploited...... thus the heads up warning.

I didn't read this specific article but that's how the "white hat" hackers often try to handle things.

Ideally the problem is fixed just before it becomes public knowledge or a fix is made available to the public.



Recommendations

Device owners should be extra cautious in identifying the publisher of the app they want to download.
Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.

The bold suggests there is already a fix.

I am sure Google will get this squared away pretty quick. They are one of the only companies I know of that actually pay people to find flaws and holes in their Web Browser and OS. Find a bug report it and get paid.

That shows you are serious about security and not just paying lip service.

For this 'master key' to work, you need to download and install dodgy software, which does not come from Google Play or any of the legit locations.

It's 'master'ness is debatable.

For this 'master key' to work, you need to download and install dodgy software, which does not come from Google Play or any of the legit locations.

It's 'master'ness is debatable.

What's more, in order for it to replace a legitimate program it has to be submitted to Google by the original software developer of that program.

I can't just upload my own version of Angry Birds and replace Rovio's because my version SEEMS identical.

If you believe Google is cleaning up the Play Store you are wrong.

http://venturebeat.com/2013/07/05/fake-jay-z-app/