BlueBox Security research firm has uncovered a "master key" that can potentially give cyber-thieves free access to almost any smartphone which uses Google's Android mobile operating system.
This security vulnerability can expose any Android-based smartphone to cyber-thieves by granting free access to the data and the normal functioning of the phone. The discovery was made by a security research firm BlueBox, which can lead to massive damage if exploited by attackers. Bluebox said that the loophole has existed in every single version of the Android operating system since 2009.
The security vulnerability appears because of the way Android uses cryptographic verification of the apps and programs installed on the device. Android uses this verification method to authenticate if an app or a program is legitimate. But the new discovery by the security research firm can trick Android into authenticating these signatures without noticing malicious changes to the apps. The vulnerability allows changes to the application's code without affecting its cryptographic signature, which is not detected by the Android system during its authenticating process, according to a blog post published Wednesday by Jeff Forristal, Bluebox CTO.
Forristal notes that the "master key" makes 99 percent of Android based smartphones vulnerable. The modified apps grant similar system privileges as the legitimate ones and such apps would pose a threat if they originate from device makers such as Samsung, HTC, Motorola, LG and others, or third party companies that work with device makers such as Cisco with AnyConnect VPN.
The seriousness of the threat can be analyzed by the amount of information an attacker can get hold of including e-mail, SMS messages, documents and all stored account passwords. People who use mobile banking are also at risk. The attackers can also control the normal functions of the phone including sending random messages or making random calls, turning on the camera and even recording calls, according to the blog post.
"Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these "zombie" mobile devices to create a botnet," the company said.
Google has not responded to BlueBox's discovery but the security firm has already shared the information with the web giant in February. Further details on the "master key" will be disclosed during the Black Hat hacker conference in August this year.
Earlier in May, the U.S. Department of Defense approved the use of Samsung Galaxy S4, which also uses Android operating system, as a part of expansion of its range of mobile devices from Blackberry to other device makers.
The danger from the flaw remains hypothetical as there is no evidence that it has been used by cyber-criminals.