Android ‘Master Key’ Security Flaw Affects 900M Devices; Could Create Botnet
The Android “master key” security flaw affects potentially 99 percent of all devices at risk of exploitation, said a security firm on Thursday.
Bluebox Security’s Jeff Forristal said that the flaw allows hackers to potentially exploit an Android smartphone or device.
“The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: “Donut” ), could affect any Android phone released in the last 4 years,” or around 900 million devices, he wrote in a blog posting.
Forristal noted that Google, the maker of Android, was told of the problem in February.
He elaborated on the problem.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed,” he wrote.
“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).”
He added the flaw presents an even more alarming problem.
“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet,” Forristal wrote.
The TechCrunch blog pointed out that the exploit affects 99 percent of Android devices.