A Four-Year-Old Vulnerability Could Infect 99% of Android Devices with Trojan Malware

A four-year-old vulnerability could infect 99 per cent of Android devices with Trojan malware without users even realising, a team of security researchers has claimed.

A blog post by Bluebox CTO Jeff Forristal said the vulnerability has existed since Android 1.6 and could infect any Android phone - including those by Samsung, HTC and Motorola - released since that incarnation of the operating system. The loophole could therefore potentially affect almost 900 million devices, says Bluebox.

Further reading Review: Google Nexus 4 - no frills Android power for the enterprise? Google could do more to protect Android users from malware, says AVG Android's built-in malware scanner detects just 15 per cent of threats

Android applications are usually verified through the use of cryptography signatures, which are used to determine if an app is legitimate. However, according to Bluebox, the vulnerability makes it possible to change the code without altering its cryptology, essentially making it possible for cyber criminals or hackers to trick the device into believing the application is legitimate when it is, in fact, malware.

"Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed," said Jeff Forristal, who warns the malware essentially allows the complete takeover of the device, letting it read and use data, record calls and send text messages.

He also warns that the "always on" nature of modern phones allows hackers to use them to create botnets.

"Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet."

Forristal recommends Android users be "extra cautious" when identifying the publisher of applications and that businesses with BYOD policies should ensure employees update their device's software whenever possible.