A security consultancy has discovered a massive hole in Android that bypasses the OS’ code signing safeguards.

android trojan Security firm reveals massive hole in Android

Researchers at the consultancy Bluebox Security have discovered a massive hole in Android that would allow a hacker to takeover an app and convert it to a trojan.

The security hole discovered would allow an attacker to change the contents of an application while leaving the cryptographic signature — the safeguard to ensure the code isn’t tampered with — intact. Likely, the existence of this security hole means the app’s signature is vulnerable to a cryptographic hash collision attack.

If the attack was successfully completed, the app would then have full access to the device’s contents, thus could siphon data and passwords or activate the device’s hardware like the camera.

“This vulnerability could affect any Android phone released in the last four years — or nearly 900 million devices,” said Bluebox’s CTO Jeff Forristal in a blog post.

Bluebox posted a screenshot in the blog post showing it could modify an Android device’s system-level software information demonstrating that it was able to access any permission level on the device. In the screenshot the renamed the baseband version string (normally controlled by system firmware) to be “Bluebox”.

bluebox security hacked htc Security firm reveals massive hole in Android

Bluebox has not yet released any proof of concept code.

Bluebox claims it has notified Google of the security vulnerability, but has not yet received a response or been altered to the production of an OS patch. Bluebox’s CTO said plugging the hole will largely be the responsibility of device manufacturers. Speaking to CIO, Forristal said that the Samsung Galaxy S4 is currently immune to the exploit presumably because there is a patch being rolled out by Samsung.

While Google has remained silent on the issue, Forristal says that patches for the Nexus family are in production.

Bluebox says the vulnerability has existed since Android 1.6.

Sources: Bluebox Security, CIO