Security firm BlueBox has discovered an Android ‘master key’ which could enable access to every version of Android released since 2009.
BlueBox claims the bug could be exploited by thieves by giving them direct access to data, eavesdropping and ability to send junk mail on individual devices.
Jeff Forristal posted on the BlueBox blog that the implications of the find were “huge”, adding: “Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed.
“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account and service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).
“Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these ‘zombie’ mobile devices to create a botnet.”
BlueBox said device owners should be extra cautious in identifying the publisher of any app they are downloading.
Google has so far declined to comment on the revelations.