Android security flaw affects 99 percent of phones, researcher says

Jeff Chiu/AP - Visitors walk past the Android booth on the floor at Google I/O 2013 in San Francisco, Wednesday, May 15, 2013. (AP Photo/Jeff Chiu)

Security researchers believe they have found a major security flaw in the Google’s Android mobile operating system, which could affect up to 99 percent of Android phones now in consumers’ hands.

In results published Wednesday by the Bluebox Security research firm, chief technology officer Jeff Forristal said the flaw gave hackers a “master key” into the Android system.

More tech stories

Parking doesn’t have to be a hassle

Parking doesn’t have to be a hassle

Meet the man who wants to make parking in a garage as fun as riding in an Uber.

Big data: A double-edged sword

Big data: A double-edged sword

New information will improve our health and prevent crimes, but uncover skeletons and hurt privacy.

Facebook rolls out ‘Nearby Friends,’ a real-time friend tracker

Facebook rolls out ‘Nearby Friends,’ a real-time friend tracker

Now you can track your Facebook friends in real-time. But only if you want to.

Google declined to comment on the report.

The problem lies in the security verification process that has been used on the Google Play applications store since the release of Android 1.6. It could leave up to 900 million devices open to hackers. The flaw, the research firm said, is a weakness in the way that Android applications verify changes to their code. The weakness would allow hackers to “turn any legitimate application into a malicious Trojan” without flagging the attention of Google’s app store, a mobile phone or the person using an application.

The result, researchers said, would be that anyone who breaks into an app this way would have access to the data that app collects and — if an app made by the device manufacturer gets exploited — could even “take over normal functioning of a phone.”

In the post, Forristal said that Bluebox reported the security flaw to Google in February. In an interview with CIO, he said that some manufacturers have already released fixes for the problem, specifically naming the Samsung Galaxy S4.

Security is a common concern on Android phones, in part because the open nature of the system also means that it’s easy for anyone to find out how it works. Android is the OS of choice for 75 percent of the world’s smartphones, IDC reported in May. But a report released in March from the F-Secure security firm found that 79 percent of all mobile malware found in 2012 was running on Android phones.

This problem is exacerbated by the fact that so many smartphone manufacturers use their own versions of the Android operating system, making it more difficult to get system updates that may include security fixes out to customers.

Read what others are saying