Researchers have discovered a flaw in Google’s Android security model that enables rogue apps to turn legitimate apps into malicious Trojans.
The security flaw enables rogue apps to gain full access to the Android system and all other installed apps, read all data on the device, harvest passwords and creates a botnet of ‘always-on, always-connected and always-moving’ spy devices tracking users’ locations.
Researchers at Bluebox Labs believe the flaw was introduced with the release of Android 1.6 Donut, meaning it could affect any Android phone released in the last four years – that’s up to 900 million devices.
“It can essentially take over the normal functioning of the phone and control any function thereof,” said Bluebox’s chief technology officer Jeff Forristal.
Bluebox disclosed the Android flaw to Google in February, but the firm said it is up to device manufacturers to release firmware updates for mobile devices and up to users to install them.
So far there has been a patch for the Galaxy S4, and Samsung is believed to be working on patches for its Nexus devices next.
Bluebox recommends that device owners use extra caution identifying the publisher of the app they want to download. It also suggests that enterprises with BYOD implementations should prompt all users to update their devices and highlight the importance of keeping their devices updated.