Android is under intense scrutiny again tonight as reports surface that nearly 50% of all Android devices are vulnerable to a security flaw that has gone unchecked. While Google maintains that they have updated and patched the problem areas that existed, reports have been swirling that nearly 50% of those devices are still at risk, leaving millions of Android devices exposed to a potentially malicious installer that would hijack the existing software on the phone.
Samsung and Amazon are said to have released updates that corrected the flaw as well, but that hasn’t stopped a large portion of devices from being at risk. Palo Alto Networks detected the flaw, and Google has been quick to respond – pointing out that the flaw itself hasn’t been exploited yet. However, with the security risk and potential damage that could be done to devices, and the individuals who use the Android devices in question – it raises valid concerns.
“Android Installer Hijacking” gains access to the device by being installed from a third-party app store. However, the security flaw is concerning enough that Google has started working to remedy the vulnerability. The troublesome portion of the vulnerability is that if taken advantage of, the entire device is left wide open for the hacker to actually take control of, look at, and run through without any stopping. That means, they would have access to usernames, passwords, bank information, or really, anything else that users might want kept in their personal space.
The flaw allows the APK file to be modified, and then worked from internally there. That being said, this is not a flaw that just appeared recently. In fact, it was first discovered in January of 2014 and that flaw was originally impacting 90% of all Android devices. While that figure has since dropped to 49% the problem remains that the flaw has existed for more than a year – with no absolute resolution to the vulnerability.
Android versions 2.3, 4.0.3 to 4.0.4, 4.1.x, and 4.2.x, are all impacted and the team believes that some 4.3 devices might actually still be vulnerable as well. Android 4.4 devices were updated correctly, with the flaw eradicated, but it remains a vulnerability that is incredibly serious for those running any Android device that could potentially be at risk.