A major vulnerability in Android that was discovered at the beginning of this month has been exploited in two separate applications in China.
The bugs enable hackers to install unauthorised code into genuine apps without affecting the encrypted signature that is used to authenticate the application. All apps contain a signature to confirm their identity with the device, Google has scanned their Play Store to ensure that no apps contain this bug, however this precaution will not protect users who have downloaded apps from different stores.
Exploiting the bug means that hackers can input malicious code into genuine Android OS apps without detection from the device. Virus’ can be used to steal data, collect passwords, record calls, read messages and so on. The discovered malware, named ‘Android Skullkey’ also sent messages to a premium rate numbers. Android Skullkey has been discovered in two separate medical apps in China.
Google has released a patch for the bug, however manufacturers are still to deploy this to all potentially affected users.