News is quickly spreading across the Internet of another potential security threat to Android devices.

The BBC covered it by saying:

"A "master key" that could give cyber-thieves unfettered access to almost any Android phone has been discovered by security research firm BlueBox.

The bug could be exploited to let an attacker do what they want to a phone including stealing data, eavesdropping or using it to send junk messages.

The loophole has been present in every version of the Android operating system released since 2009.

Google said it currently had no comment to make on BlueBox's discovery."
The Huffington Post, went on to report that...

"The method demonstrated by Bluebox would let app developers modify an update to a legitimate app to look like a system file, which can then be used to take control of a phone. With the right signature disguising its real motives, the update could log passwords, credit card information, photos, emails - essentially anything on your mobile device.

"The implications are huge," Bluebox explains on its website.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet."
Meanwhile, Ars Technica have also covered the story...

While it would be devastating if an attacker was able to get such a modified APK into the Google Play Store, or somehow use the technique to hijack the update mechanism of legitimate apps, there are probably safeguards already in place to prevent such attacks.

"I imagine that Google would move quickly to add some logic to look for such attacks," Dan Wallach, a professor specializing in Android security in the computer science department of Rice University, told Ars. "Without that available to an attacker, this is likely to only be relevant for Android users who use third-party app stores (which have lots of other problems). This bug could also be valuable for users trying to 'root' their phones."

Blue box researchers privately reported the vulnerability to Google in February.
So, while this would appear to have the potential to be a problem, there is a lot of difference between "potential" and "actual".

What is your take on this latest security story?

As originally posted by janner43