Maybe it comes as no surprise that hackers are able to convert legitimate Android apps into Trojan malware and essentially take over your phone. Another day, another scare. But the deeper implication of this story is that it shows just how difficult it is for Google to secure the global Android environment.
The exploit was discovered by Bluebox, a mobile security startup. At first glance, it's devastating. An Android vulnerability which affects phones released over at least the last four years (all 900 million of them) allows hackers to modify APK (application package file) code in legitimate applications to convert them to malware.
The rogue app can grant access to any data, including other apps, stored on the phone, and allow remote control of the phone, creating the possibility of mobile botnets. Worse, the code can be manipulated while retaining the app's original digital signature, so that the corrupt app appears as legitimate and unmodified.
Bluebox will release full technical details in an upcoming Black Hat presentation eerily titled "Android: One Root to Own Them All."
This is all bad enough, but it's hardly the end of the world. After all, anyone paying attention already knew about the vast waves of malware washing up on Android's poorly-defended shore. As for this new horror, Google -- notified by Bluebox back in February -- has updated Google Play to block the exploit, and some handset manufacturers have released patches to address the issue.
So, now worries -- if you buy apps exclusively from Google, or if your handset vendor is on the case. And those are big "ifs." Because what this situation shows is the massive security disadvantage which comes along with the valued, loosy-goosey openness of the Android platform.
Apple's centralized control of the iPhone, the iPad, and the Apple app store, together with its hostility to "jailbreaking," can be perceived as dictatorial. But it makes security (relatively) straightforward, and puts Apple in a position to roll out global fixes.
The multiplicity of physical platforms for Android, and the ease of installing apps from all kinds of sources, hands over control to the consumer, but at the cost of taking system-wide security control away from Google. Google can fix its Playstore, but if you want to download apps from EvilHats.com (I made that up), Google can't stop you.
Bluebox has advice:
Check with your device manufacturer or your mobile carrier about your specific Android device model and OS version to see if a recent update/fix has been made available.
Sure. Or don't install anything that's not from Google Play. Any betting the owners of those 900 million devices are going to comply?