Despite knowing since this past February that a significant vulnerability in Android’s security could enable cyber attackers to take over a user’s smartphone, Google (GOOG) only just provided a patch to OEMs to ship to customers, according to a ZDNet report.
Security researcher Bluebox Labs, which uncovered the security flaw and reported it to Google last February, said the vulnerability has been present for nearly four years and impacts Android back to version 1.6, or nearly 900 million devices.
According to the ZDNet account, a Google spokesperson confirmed that the vendor has begun shipping patches to the search giant’s OEM partners, meaning Android-based smartphone users will have to turn to their hardware vendors for the security update.
Gina Scigliano, Google's Android communications manager, is quoted as saying, “A patch has been provided to our partners—some OEMs, like Samsung, are already shipping the fix to the Android devices."
The security weakness involves the cryptographic signature of authentic Android applications, an assurance that the software hasn’t been meddled with by third parties other than the actual developer, according to Bluebox. The security researchers discovered how to deceive Android’s way of checking the signatures to enable malware code to slip by. As a result, any app or program written to take advantage of the weakness would gain access to a user’s phone in the same way a legitimate app does.
Bluebox chief technology officer Jeff Forristal said the vulnerability can be exploited by a hacker for anything from data theft to creating a mobile botnet. So far the Android security vulnerability hasn’t been capitalized on by an attacker, Forristal said, which Scigliano confirmed, according to the ZDNet report.
"We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools,” she said. “Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play."