Android Master Key Glitch: 900 Million Phones Could Be Hacked

Any Android phone released within the last four years could be vulnerable to hackers thanks to a glitch in the phones security system, which was recently discovered.

Over 900 million phones could be impacted by a security vulnerability that allows hackers to access Android phones undetected. The hole was discovered by BlueBox Labs, who is now warning users that their phones can be or might have already have been hacked.

"The implications are huge!" Bluebox CTO Jeff Forristal said in a blog written earlier this week.

If a user accidentally installed a Trojan application, that application could gain "full access" to the Android system and all applications. From there, a hacker would be able to read personal information on the phone, collect passwords and usernames, and worse.

A hacker could "essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls)," Forristal explained. The hacker could also develop a botnet.

Complicating things further is the fact that hackers could gain all of this access and still go undetected.

"The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature," Forristal said.

In summary, that means that any "legitimate" Android app could be tampered with and neither the company nor the phone user would be aware.

BlueBox offered the following recommendations to prevent a hacking attack:

• Device owners should be extra cautious in identifying the publisher of the app they want to download.

• Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.

• IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.

For more information about how the vulnerability works, visit BlueBox here.