In a follow up to our recent report regarding how an Android Security Bug was found to let hackers gain system access, Google has released a fix to its Android original equipment manufacturers (OEM’s) for this bug, named: Android security bug 8219321 as unearthed by Bluebox Security in February this year. The flaw was confirmed from Google’s Android Communications Manager, Gina Scigliano, she said “a patch has been provided to our partners.” She also mentioned “Some OEMs, like Samsung, are already shipping the fix to the Android devices.”
The flaw in question will allow a hacker to turn a legitimate app into malicious files by modifying APK code without breaking the app’s cryptographic signature. In response to this, Google has already modified its Play Store’s app entry process to scan for the exploit so apps that have been modified using this vulnerability can no longer be distributed via the Play Store. Bluebox Security discovered the hole in Android’s code, which it claims could potentially affect 99 percent of Android devices, back in February and informed Google at that time. (but only made it public recently). Samsung’s Galaxy S4 was named then as one Android device that had already been patched, so it seems likely that this model is the device Gina Scigliano referred to when she cited Samsung as a manufacturer already shipping a fix. The problem for Android users is that even though Google has now in fact released a fix to its OEMs, they still have to wait for the maker of their particular handset to implement and ship the fix. This also poses another question, how long before their particular carrier tests it? Having to wait around to receive updates is a byproduct of the freeness and fragmentation of the Android sphere, still, it does not sound like this particular Android flaw has been widely exploited thus far. Scigliano has told ZDNet: “We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue and Verify Apps provides protection for Android users who download apps to their devices outside of Play.” But just because it has not been widely exploited yet, does not mean it will not be…does it?