Researchers have uncovered a major security flaw in the Android operating system that allows hackers to modify trusted apps without changing their verification signature. Attackers could take advantage of the vulnerability to install keyloggers, backdoors, and other malicious functions into apps, which would continue to look completely legitimate to their users.

The flaw was discovered by mobile security startup Bluebox, which claims that 99% of Android-powered devices — or around 900 million smartphones and tablets — are vulnerable. The issue has been present since Android 1.6 Donut, which was first released in September 2009.

Depending on the type of application, hackers could use the flaw for “anything from data theft to creation of a mobile botnet,” Bluebox reports. And because their modifications do not break an app’s verification signature, they can enjoy the same system privileges as a legitimate one.

Not only could the apps read arbitrary data on your device — such as your emails, text messages, and documents — but they could also obtain all the passwords for accounts you have setup, and take over your device’s functionality, such as its phone or text messaging features.

So, how does it work?

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature,” Bluebox explains.

“All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasn’t been tampered with or modified. This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been.”

The good news is, Bluebox quietly reported this issue to Google back in February, so the Android maker is already aware of the problem. The bad news is, it’s up to device manufacturers to address it and rollout updates that will patch the flaw and prevent the kind of attacks mentioned above from happening.

And we all know how long it takes for device manufacturers to issue software updates. What’s more, many manufacturers no longer support older devices, so two- or three-year-old handsets that are affected by this flaw may never see a fix.

Bluebox says that “technical details of the issue,” as well as related tools and materials, will be released as part of its Black Hat USA talk at the end of this month. In the meantime, Android users can keep the risk of attack to a minimum by cautiously identifying the publisher of the apps they wish to install on their devices.

• SourceBluebox
• ViaArs Technica