BlueBox, a security research firm, said it discovered a "mastery key" loophole for nearly all Android phones that could make it easy for cybercriminals to hack into users' operating systems. The bug could be used by hackers to steal personal data from Android users and allow the criminals to send people junk messages, BBC reported.
While there has not been evidence that cyberthieves have exploited the loophole, BlueBox said the implications of this loophole were "huge." The bug exists in every Android device made since 2009, or 900 million phones, the firm said on its blog.
Android phones uses cryptographic signatures as a way to check the legitimacy of an app downloaded on the device, the BBC reported. However, the bug tricks the operating system so malicious changes to apps go unnoticed.
"[I]t can essentially take over the normal functioning of the phone and control any function thereof," BlueBox said. Also unsettling is that the bug could potentially allow a hacker to "take advantage of the always-on, always-connected and always-moving (therefore hard-to-detect) nature of these 'zombie' mobile devices to create a botnet," the firm's blog continued.
An app can be written to exploit the bug, which would make a user's Android operating system accessible by outside attackers. The Samsung Galaxy S4 already as developed a fix for the loophole, the Daily Mail reported. Google's Nexus devices, however, do not have a fix at this time.
Dan Wallach, a professor who specialized in Android security at Rice University's computer science department, told the source he imagines Google will "move quickly" to prevent such mobile attacks.
Android Users Should be Cautious
BlueBox disclosed this finding to Google in February. Google has not offered a comment on the topic, BBC reported. BlueBox plans to offer more details on the Android bug in August at the Black Hat hacker conference.
For now, the security research firm suggests Android users should be extra cautious when identifying the publisher of an app they plan to download to the phone. Businesses, too, should be careful if they allow their employees to use personal mobile devices to store and access company data, BlueBox said. IT professionals should also be focusing their efforts on "deep device integrity checking" and ensuring their organization has proper data breach protection measures in place to protect against potential cyberattacks.