Researchers from Bluebox Security have discovered a vulnerability that leaves 99 percent of all Android devices exposed to malware. SiliconANGLE Contributing Editor John Casaretto discussed the findings in a recent interview with NewsDesk host Kristin Feledy.
Android uses cryptographic signatures to verify that application updates originate from developers. John says that the exploit Bluebox uncovered allows attackers to bypass this verification mechanism and modify an application without breaking its unique signature.

The severity of the compromise depends on the application. While an arbitrary app may or may not give attackers access to personal data, a pre-installed application with a platform key can potentially enable them to take over the entire device and co-op it into a botnet.

The bug dates back four years to Android’s 1.6 Donut build. John finds it notable that it took so long to detect, and highlights the importance of security research.

Feledy mentions Google Play, which features a filter mechanism that prevents developers from submitting apps with vulnerable signatures. John explains that Bluebox notified Google about the exploit in February, and points out that the company hasn’t patched it yet because the Android ecosystem is simply too large and too fragmented.

The signature vulnerability affects some 900 million Android devices worldwide, including phones and tablets from dozens of manufacturers. To complicate matters further, low- and mid-range handsets tend to feature older versions of Google’s mobile operating system. For these reasons and others, an all-inclusive update is out of the question. Device-specific patches are more practical, John notes, but only a handful of models have been updated to date.

Users who own unpatched devices should avoid downloading apps from third party sites until a fix or a new version of Android is available.

Check out the video below for the full interview.