Bad news for us Android users: Bluebox Labs, a computer security research team, just found a massive vulnerability in Android's security model that, in theory, allows hackers to take control of a phone, listen in on conversations, access data, turn apps into malicious Trojans and send junk messages. Amazingly, what's being called the “master key” is present on any Android phone released in the last four years, which amounts to 900 million devices.
According to the Bluebox blog, “while the risk to the individual and the enterprise is great, this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer.”
Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.
According to BBC News, Google said it currently had no comment to make on BlueBox's discovery.
For more details on Bluebox's findings, read the blog post here.