Skip to main content

It’s OK! Android’s latest malware scare probably won’t affect you

Android Malware
Image used with permission by copyright holder

What if hackers could take an existing legitimate app or update with a valid digital signature, and modify it in order to use it as a malicious Trojan to access everything on your Android phone or tablet? When researchers from a mobile security startup called Bluebox Security revealed that they had identified just such a vulnerability that affected “99 percent” of Android devices, it made tech headlines across the Web. But should you be worried?

What is the problem?

“This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years,” explained Jeff Forristal, Bluebox  CTO, in a post on the company blog. He went on to point out that “…a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

Recommended Videos

APK, or Android application package, files are at risk because this flaw allows hackers to alter a legitimate app or update, but retain the digital signature that verifies it as secure. They could create a fake app to steal your passwords and use a legitimate digital signature, so that your Android phone thinks it’s made by a company like Samsung, HTC, or even Google itself. Since device manufacturers and trusted partners produce apps with privileged access to your Android system, the risk of something malicious piggybacking its way onto your phone is very serious.

What’s being done about this?

Bluebox revealed Android security bug 8219321 to Google back in February 2013. Google has already updated the Play Store so that there are checks in place to block any malicious apps using this exploit. Google shared the bug with its hardware partners in the Open Handset Alliance and some manufacturers have already released patches to fix this security issue.

How can I avoid malware?

If you are careful never to leave your phone unattended and you only install apps and updates from Google Play then there’s no real cause for concern because you’re not really at risk from this exploit. If you want to make sure you’re not affected, go into Settings > Security and make sure that the allow installation from “unknown sources” box is unchecked.

We’ve discussed the Android app security basics before and they still apply. Criminals are now unable to use the Google Play Store to circulate malware using this exploit so it’s now safe to download apps there. What you should avoid is installing apps or updates from other sources – even the Samsung or Amazon app stores –  at least, for now. Third-party Android app stores and direct links on websites are the most likely delivery methods, but malware could arrive via email, or even transfer onto your device via a USB cable (if you connect your phone to your computer).

“The main problem for spreading malware on Android is to get the user to download and install something from insecure sources (certain third-party markets or directly from the web),” Maik Morgenstern, from the independent security institute, AV-Test, explained to us. “The reported vulnerability doesn’t ‘help’ malware authors here in any way. The would still have a hard time getting their creations in the Google Play Store and even if they succeed, their apps wouldn’t be listed under the original author’s account, of course. [For example,] if they create a trojanized version of Angry Birds, it would be listed under the Malware Authors Name and not under Rovio. So users would hardly stumble over these trojanized apps. If users only download apps from the Google Play Store they should be safe.”

So, I can relax?

The problem with Android is that Google can take action to fix flaws and hacking exploits, but it can’t roll out a system wide update.

“The main problem is the update policy of many manufacturers,” Morgenstern told us. “Old devices don’t receive updates anymore (so these devices will stay vulnerable) and even updates for new devices can take months.” 

It is up to individual manufacturers and mobile carriers (AT&T, Verizon, T-Mobile, Sprint, etc) to push updates out to devices. It’s common for older Android devices to be left behind. If you have an older device that’s at risk and you’re not happy sticking to Google Play then you could be exposed for some time to come. 

Update 7-9-2013: Advice from Bluebox

After this article was published, Bluebox contacted us. They are urging users that the best way reduce the risk of this vulnerability is to “Check with your device manufacturer or your mobile carrier about your specific Android device model and OS version to see if a recent update/fix has been made available.” They also point out that you may need to check the release notes for confirmation that a fix is included in the update. If you can’t find one for your device, they suggest that you should avoid installing anything from outside Google Play for the time being.

The Bluebox CTO, Jeff Forristal, is planning to release technical details of the issue at his talk at Black Hat USA 2013 at the end of the month. It remains to be seen how the major Android device vendors will react. We will keep you posted.

Article originally published 7-8-2013.

Simon Hill
Former Associate Mobile Editor
Simon Hill is an experienced technology journalist and editor who loves all things tech. He is currently the Associate Mobile…
You won’t find this Galaxy S24 Ultra deal on Samsung’s website
A person holding the Samsung Galaxy S24 Ultra using the Circle to Search feature.

The Samsung Galaxy S24 Ultra is a tempting smartphone with some unique new features, but it's also Samsung's most expensive non-foldable phone. That's probably why you're on the hunt for deals. Samsung's site has a lot of great deals for pre-ordering the Samsung Galaxy S24 Ultra, but we're here to give you an exclusive discount that you can't find on Samsung's site. By clicking the button below, you'll get $50 in Samsung credit when you buy the Ultra. You can still take advantage of the other discounts on Samsung's site, like $750 trade-in, $100 more Samsung credit, and a 15% student discount. This deal is only available for a couple more days, as preorders end on January 30.

Pre-Order Now

Read more
Samsung just killed one of its most important Android phones
Galaxy Fold open.

Today marks a milestone in the era of foldable smartphones as Samsung officially puts its legendary first-generation Galaxy Fold out to pasture.

After four years on the market, the original Galaxy Fold will no longer receive regular security updates. To be fair, the first Fold was already living on borrowed time, as it was left out of last year’s Android 13 update. However, when Samsung launched the expensive foldable, it promised a full four years of security updates for the device.

Read more
I took these pictures with the Google Pixel 8, but you won’t believe me
A person holding the Google Pixel 8, showing the back of the phone.

This time last week I was a bit stuck. The Google Pixel 8 was in my hand, and I wanted to take photos with it. After all, it’s the big selling point of this phone, and it was important to see if it continues the great Pixel tradition of housing a fantastic camera. Except I was feeling rather uninspired and creatively blocked.

Pondering what to do, I just went out and took photos, because I wanted to see what all the software behind the new camera could do to make ordinary pictures something special when I got home. What I found is it takes ordinary photos and turns them into something unbelievable, in both good and bad ways, and it barely makes sense that all this is possible on a phone.
Why the Google Pixel 8's camera is so special

Read more