Researchers said they've uncovered a security vulnerability that could allow attackers to take full control of smartphones running Google's Android mobile operating system.
The weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven't been modified by parties other than the trusted developer, according to a blog post published Wednesday by researchers from mobile security startup Bluebox. The flaw has existed since at least the release of Android 1.6 almost four years ago. Hackers who exploit the vulnerability can modify app code to include backdoors, keyloggers, or other malicious functionality without changing the verification signature.
Malicious apps that exploit the vulnerability would enjoy the same system privileges as the legitimate one. That access could be especially dangerous if the app that's modified originated with the handset manufacturer or third parties that partner with the manufacturer, Wednesday's blog post said. That's because such apps are typically granted elevated privileges within the Android OS.