What if hackers could take an existing legitimate app or update with a valid digital signature, and modify it in order to use it as a malicious Trojan to access everything on your Android phone or tablet?
Last week, researchers from Bluebox Security announced that the Android operating system has been vulnerable to hackers for the past four years, allowing them to modify or manipulate any legitimate application and enabling them to transform it into a Trojan programme.
The bug hasn't, so far, been spotted being exploited in the wild, but technical details and a proof-of-concept exploit have been published for a recently announced publicly by Pau Oliva Fora, a mobile security engineer at security firm ViaForensics.
Jeff Forristal of Bluebox security stated that the security hole as been around since at least Android 1.6, and it could affect all Android devices i.e. around 900 million devices could be affected by hackers.
CyanogenMod, a popular open source distribution of Android 4.1, has now included a patch for the vulnerability in its firmware code.
Today Google has also released a fix for this particular critical vulnerability, and released to original equipment manufacturers (OEM)s.
In the meantime, if you are running a device that may be vulnerable to this exploit, you should be advised to only install APKs from completely trusted sources, such as the Play Store.