Security research firm Bluebox has discovered a “master key” that can give cyber-thieves unregulated access to almost every Android phone.
This “key” or bug, as BBC News reports, can do whatever the cyber-offender wants it to do. It can steal data, eavesdrop on phone calls or send junk mail.
The bug emerges because of the way Android handles the cryptographic verification of programs installed on the phone.
Android uses cryptographic signatures to check if apps are legitimate and ensures it has not been altered.
Jeff Forristal, chief technical officer at Bluebox, said his team found a way to ‘trick’ the way Android checks these signals. What follows are malicious changes to the apps which go unnoticed.
Any programme can be written to exploit the bug and can be used to gain access to phones. Forristal said it can control any function from there on out.
The problem however, is merely a theoretical one because there is no evidence that suggests cyber-hackers are using the bug for exploitation.
bit-tech reported that releasing the technical details runs the risk of opening up the channel for cyber-thieves to attack.
Google has not commented on the discovery.
Forristal recommends that Android users be extra cautious in identifying the publisher of any app they download and all users must update their software.
