A GitHub user has posted a “quick and dirty” proof of concept for a “master key” flaw in Google’s Android operating system that caused a palava last week.
Now the code has been posted publicly online, there are fears crooks will start exploiting the vulnerability if they haven’t already.
The vulnerability allows Android application packages (APKs) to be tampered with, without disturbing the cryptographic signature designed to guarantee an app’s authenticity and safety.
An attacker could insert malicious code into a legitimate APK, effectively Trojanising it, which would be particularly nasty if that APK had wide access to the OS.
Details of the flaw, which was said to affect almost all versions of Android, were not fully released by Bluebox Security as it is planning to go into more detail at the BlackHat conference later this month.
Despite not having the additional information, GitHub user poliva, or Pau Oliva of viaForensics in Spain, has posted 32 lines of code he claimed exploited the flaw to get dirty code inside an APK.
This could be bad news for Android users, but it appears many are acting to cover off the vulnerability, which was reported to Google by BlueBox in March.
CyanogenMod, a popular open source distribution of Android 4.1, has now included a patch for the vulnerability in its firmware code.
Google has not responded to a request for comment on the matter, although it is believed it has delivered a patch to device manufacturers. It is now up to them to send out patches to users.
Google has also reportedly blocked any apps that could be exploited by the flaw from its official store. But users should still be careful about trusting anything from a third-party app seller.
And there have been no reports of exploits in the wild as yet, indicating cyber criminals have not jumped on the bandwagon just yet.
Think you know everything about Android? Try our quiz!
Boeing Starliner space capsule set for first crewed flight into orbit after years of delays,…
Google clashes with US Justice Department in closing arguments as government argues Google used illegal…
Prominent Stanford University AI scientist Fei-Fei Li reportedly completes funding round for start-up based on…
Apple shares surge on optimism that new AI-focused hardware launches will drive renewed sales, starting…
Biden vetoes Republican-backed measure amidst dispute over 'joint employer' status for contract workers, affecting tech…
Lawyers in US social media addiction action say strict controls on Douyin in China show…