Skip to main content

It’s OK! Android’s latest malware scare probably won’t affect you

Android Malware
Image used with permission by copyright holder

What if hackers could take an existing legitimate app or update with a valid digital signature, and modify it in order to use it as a malicious Trojan to access everything on your Android phone or tablet? When researchers from a mobile security startup called Bluebox Security revealed that they had identified just such a vulnerability that affected “99 percent” of Android devices, it made tech headlines across the Web. But should you be worried?

What is the problem?

“This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years,” explained Jeff Forristal, Bluebox  CTO, in a post on the company blog. He went on to point out that “…a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

APK, or Android application package, files are at risk because this flaw allows hackers to alter a legitimate app or update, but retain the digital signature that verifies it as secure. They could create a fake app to steal your passwords and use a legitimate digital signature, so that your Android phone thinks it’s made by a company like Samsung, HTC, or even Google itself. Since device manufacturers and trusted partners produce apps with privileged access to your Android system, the risk of something malicious piggybacking its way onto your phone is very serious.

What’s being done about this?

Bluebox revealed Android security bug 8219321 to Google back in February 2013. Google has already updated the Play Store so that there are checks in place to block any malicious apps using this exploit. Google shared the bug with its hardware partners in the Open Handset Alliance and some manufacturers have already released patches to fix this security issue.

How can I avoid malware?

If you are careful never to leave your phone unattended and you only install apps and updates from Google Play then there’s no real cause for concern because you’re not really at risk from this exploit. If you want to make sure you’re not affected, go into Settings > Security and make sure that the allow installation from “unknown sources” box is unchecked.

We’ve discussed the Android app security basics before and they still apply. Criminals are now unable to use the Google Play Store to circulate malware using this exploit so it’s now safe to download apps there. What you should avoid is installing apps or updates from other sources – even the Samsung or Amazon app stores –  at least, for now. Third-party Android app stores and direct links on websites are the most likely delivery methods, but malware could arrive via email, or even transfer onto your device via a USB cable (if you connect your phone to your computer).

“The main problem for spreading malware on Android is to get the user to download and install something from insecure sources (certain third-party markets or directly from the web),” Maik Morgenstern, from the independent security institute, AV-Test, explained to us. “The reported vulnerability doesn’t ‘help’ malware authors here in any way. The would still have a hard time getting their creations in the Google Play Store and even if they succeed, their apps wouldn’t be listed under the original author’s account, of course. [For example,] if they create a trojanized version of Angry Birds, it would be listed under the Malware Authors Name and not under Rovio. So users would hardly stumble over these trojanized apps. If users only download apps from the Google Play Store they should be safe.”

So, I can relax?

The problem with Android is that Google can take action to fix flaws and hacking exploits, but it can’t roll out a system wide update.

“The main problem is the update policy of many manufacturers,” Morgenstern told us. “Old devices don’t receive updates anymore (so these devices will stay vulnerable) and even updates for new devices can take months.” 

It is up to individual manufacturers and mobile carriers (AT&T, Verizon, T-Mobile, Sprint, etc) to push updates out to devices. It’s common for older Android devices to be left behind. If you have an older device that’s at risk and you’re not happy sticking to Google Play then you could be exposed for some time to come. 

Update 7-9-2013: Advice from Bluebox

After this article was published, Bluebox contacted us. They are urging users that the best way reduce the risk of this vulnerability is to “Check with your device manufacturer or your mobile carrier about your specific Android device model and OS version to see if a recent update/fix has been made available.” They also point out that you may need to check the release notes for confirmation that a fix is included in the update. If you can’t find one for your device, they suggest that you should avoid installing anything from outside Google Play for the time being.

The Bluebox CTO, Jeff Forristal, is planning to release technical details of the issue at his talk at Black Hat USA 2013 at the end of the month. It remains to be seen how the major Android device vendors will react. We will keep you posted.

Article originally published 7-8-2013.

Editors' Recommendations

Simon Hill
Former Digital Trends Contributor
Simon Hill is an experienced technology journalist and editor who loves all things tech. He is currently the Associate Mobile…
The best ad-blocking apps for Android in 2022
ad blocker feat image

No one likes ads -- pop-up or otherwise -- intruding on their online experience of reading or video viewing, but ads are everywhere on the internet. One of the best ways to shield yourself from them is to install ad-blocker software that detects and disables annoying videos, graphics, and text ads that appear on your Android device while using apps or browsing websites.

Ad-blocking is controversial, which is why Google has removed specific ad-blocking apps from the Play Store. Google's business model is built on ads, so the issue goes beyond the relative quality of ads. Ads are a financial lifeline for many sites -- the difference between running a site and shutting it down. Installing an ad-blocker app on your Android device means you are likely affecting the livelihood of those who run the sites you enjoy, so try to be selective.

Read more
The best thing about Android 13 isn’t a new feature or setting — it’s something else
Android 13 logo on a Google Pixel 6a.

After months of testing, Google has finally unleashed Android 13, its current Android smartphone update for 2022. As far as updates go, it's not one that you'll notice. I've been using Android 13 for around two months prior to its release, and it's been a pretty whelming experience.

Unlike iOS 16, which is a large and hefty update, Android 13 is rather pedestrian. There's not much differentiating it visually or functionally from previous Android releases. Much of what sets Google apart from Apple on this front is that Apple frontloads all its significant app improvements into its big iOS releases. Google trickles its features out as soon as they're ready, so many features announced with Android 13 -- like a revamped Google Wallet and tablet-optimized apps -- have already landed. Because of that, Android 13 is an update that's barren of excitement.

Read more
Wireless charging not working on your Pixel with Android 13? You aren’t alone
Google Pixel 6 Pro in hand.

Android 13 has been hotly anticipated for months, but following its rollout to Pixel users last Monday, many have been reporting issues with wireless charging. As first spotted by 9to5Google, Pixel owners have been posting their issues to Reddit in hopes of finding a simple community fix, but based on the number of complaints, there seems to be more at work.

While the hope is always that companies like Google will put their best foot forward when launching new software, sometimes new bugs are found after pushing an update globally. If your Pixel is having trouble with wireless charging, don't worry: you're not alone.
What does the issue look like?

Read more