4-Year-Old Android Bug 8219321 Emerges with Modified Signature Puts Most Devices in Danger of Malware

Android malware creators are busier than ever, conjuring up new ways to exploit devices running what happens to be in a race to be the most popular mobile operating system around. With Android malware creators grasping at every straw to launch the latest attack on mobile devices, they have taken their efforts back to about 4 years to reintroduce an older Android bug that may allow malicious Trojans to appear as verified apps.

The technique of masking malicious apps where they are commonly recognized as legitimate using cryptographic signatures, is something we have seen take place on the PC software scale. This technique, basically manipulating malicious apps to have a key (APK file) that matches the one provided by the software developer, allows malicious code to be easily injected, and the user never made aware of the circumstances. The particular bug brought back from the dead, dates back to 2009 when Android 1.6 Donut was the latest version of the popular mobile operating system. Having a stunning past with a 4-year-old version of Android, the bug could essentially affect any Android phone related in the last 4 years, which amounts to nearly 900 million devices.

The aged Android bug is reportedly a means for hackers to exploit the vulnerability for anything from data theft to the creation of a mobile botnet. The remarkable suggestion of a mobile botnet is surprising, yet a scary scenario. Could you imagine hundreds to thousands of zombie Android mobile devices consistently being instructed to carry out malicious actions over the internet?

It is up to device manufacturers to produce and release firmware updated for mobile devices so the gaping holes allowing the Android bug 8219321 to re-emerge from its 4 year hiatus. With the creators of this Android bug using a potentially verified key to vehemently be viewed as legitimate and land on a plethora of devices.

Bluebox security research team, who first uncovered the 'Android Master Key' or current Android bug identified as #8219321, has made Google aware of the issue back in February of this year (2013). Ultimately, as mentioned earlier, it is reiterated by Bluebox that it is up to the device manufacturers to release a Firmware update to resolve issues like this.