Security research firm BlueBox has discovered a ‘masterkey’ which could give cyber-thieves unrestricted access to almost any Android device. The bug which has been discovered has the ability to allow any attacker do what they want, including stealing of data, using it to send junk messages and eavesdropping.
The shocking part is that the loophole has been present in every version of the Android operating system since it was launched in 2009. Regarding the discovery, search engine giant Google said that it does not have anything to comment on at the moment. While writing on the BlueBox blog, Jeff Forristal said that the implications of the discovery were enormous.
The bug shows up due to the way Android handles cryptographic verification of the programs installed on the phone. The operating system uses cryptographic signature as a way to check that an application or program is legitimate and also to make sure that it has not been tampered with. Forristal and his colleagues have found a way of tricking the way Android checks these signatures so that malicious changes to the applications go unnoticed.
Any application written to exploit the bug will enjoy the same access to a phone as the legitimate version of the application enjoyed.