Google’s Android mobile platform has been under constant scrutiny with the mobile security researchers. Many loopholes have been reported and
Google’s Android team has taken care of it as soon as possible. Bluebox Security Researcher CTO, Jeff Forristal, posted on the blog that Android still has a vulnerability which if exploited can affect about 99 per cent of Android devices.
Jeff Forristal noted in the blog post that a Trojan application can read the arbitrary data such as email, SMS messages, and documents on the device. Forristal clarified that the loophole lies in the method Android apps are approved and verified. Because of that, hackers can tinker around the application code without touching the app’s cryptographic signatures. So in short, any legitimate looking app in the Google Play Store or outside could actually carry reverse engineering code. Google has been informed the device manufacturers to take care of the apps.
Now here is a situation that Google may not be able to control entirely. The market already has millions of devices using year old Android versions without any extra security patches provided for that. We still see device makers selling Gingerbread and Ice Cream Sandwich version loaded devices that may be vulnerable due to other third party apps pre-installed. These folks should be very cautious while installing the apps even if they are from Google Play Store.
Thankfully, the Android 4.1.2 Jelly Bean checks the app for verification before it is installed on the device but we are not sure what exactly gets verified there – just the signature or entire app code. Once again, we urge the Android based smartphone owners to stick with apps available from Google Play Store only.