Just about every Android phone has a huge, massive security weakness according to security startup BlueBox that discovered the new vulnerability. According to them, almost every Android phone made in the past four years is close to turning into a malicious zombie device, thanks to a weakness that can “turn any legitimate application into a malicious Trojan.”  The malicious software appears to be spyware.

While news of security issues in Android might not be surprising to users, the sheer scope of the vulnerability does give quite a shock: just about 900 million phones, are potentially affected, according to the company.  All hackers need to do to get into your device is modify a legitimate app.  They’re apparently able to do this without breaking the application’s security signature. They then, distribute the app and convince end users to install it.

Google, has known about the weakness since February, and they have already patched the Samsung Galaxy S4, according to sources.  They’ve also made it impossible for the malicious apps to to install through Google Play. The malicious apps could still get onto a device via email, a third-party store, or basically any website. The worst-case scenario for what could potentially happen to an infected device accessed via an application developed by a device manufacturer, which generally come with elevated access, according to BlueBox:

“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. (read: android spyware) The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet. ”  Basically this is really bad!

We recommend users of all Android phones double check the source of any apps they install, and keep their devices updated, as well as take precautions to protect data. Of course Android users absolutely should be doing this anyway, since the devices tend to come with an inherent risk from malware. The risk, however, is exponentially amplified for users who venture outside of the Google Play store to download apps.

The exact impact of this security issue is unknown and there is no specific timeline for a remedy that we know of.  Manufacturers will likely release their own fixes for the issue. It my be possible to remove the spyware by simply uninstalling the offending applications.  In severely affected devices, it may be necessary to completely restore the phone to factory settings.  In the meantime remember to:

  1. Only download apps from trusted sources such as the Google Play store.
  2. Double check the source of apps.
  3. Keep your Android updated.
  4. Use strong passwords.
  5. Use a solid anti spyware / anti virus application on your phone.