On July 3, the security firm BlueBox announced that it had discovered a “master key” that allows hackers to take control of users’ phones. In doing so, it highlighted a struggle that Google Inc (NASDAQ:GOOG), makers of Android, will forever need to worry about given the amount of companies that manufacture Android handsets. Samsung Electronics Co., Ltd. (LON:BC94) (KRX:005930) and HTC Corp (TPE:2498), to name just a couple of the many manufacturers, also reserve the right to add their own interfaces on top of Android. This stands in stark contrast to Apple Inc. (NASDAQ:AAPL) who is the only manufacturer of phones that run its iOS.
Hacking key harvests passwords and photos
Each new Android app has an encrypted signature built-in that the operating system uses to verify that a program is bug-free and has not been tampered with by outside elements. However, BlueBox announced that it had discovered a means by which it could change an app’s code without modifying this signature. They went on to say that using this “master key” could allow the less nice people of the world to install a Trojan on a phone, essentially granting full access to an Android phone. This includes, but is not limited to, harvesting of passwords, recording telephone calls, and taking photos. A user’s phone would send this information to the hacker.
China phone owners fall victim to ‘Android.Skullkey’ hack
Today, the BBC reported that Symantec, the virus protection firm, has found two apps distributed in China that have fallen victim to this exploit. While Google Inc (NASDAQ:GOOG) is looking to rectify the situation and scans its own Google Play app store, the open nature of Android does not protect users from apps distributed elsewhere.
According to Symantec, attackers have exploited this “back-door” to install malware called ‘Android.Skullkey’. Skullkey hijacks data from compromised phones, monitors and records texts received and written on the phone, and also sends SMS messages to premium numbers, potentially costing the phone’s owners a large amount of money given the frequency of these texts before discovery.
“We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices,” Symantec’s report warned.” Symantec recommends users only download applications from reputable Android application marketplaces.”
Both programs that Symantec found the exploit embedded in were designed to help users make doctor appointments from their phones and tablets. Symantec also said that users could simply remove Skullkey in the settings menu of their devices.