Android Update Vulnerability Lets Malware Bypass Digital Signature Check, 900 Million Potentially Affected

Android, like any operating system, is vulnerable to exploits. And every year about this time, we see a flurry of openings crop up as Black Hat approaches. Typically, these hacks are discovered by researchers who are looking to make the software universe safer. And now, Bluebox Security is doing precisely that. The company has discovered a vulnerability in the Android code base that essentially allows nefarious hackers to modify a digitally-approved Android APK without breaking the app's cryptographic signature. That last part is key; if the cryptographic signature breaks, that triggers an action that can prevent further hacking.


Bluebox plans to showcase the entire hack at Black Hat conference this August, but in the meanwhile, some phone makers are already looking to patch it. Google itself is planning to release a patch to the Android Open Source Project to fill in the newfound gap. The actual impact could vary, but it has the potential to let a hacker in and root around in one's data. It's unlikely this will ever happen, though, as Bluebox has no intentions of revealing the hack until it's patched.

The hack could impact Android versions as old as v1.6 (nearly four years old), meaning that nearly a billion products are at risk -- in theory. As ever, this is a great reminder to watch out for unsigned apps that you may install on your Android phone. Being a cautious user generally prevents the installation of nefarious apps.