Bluebox Security has revealed a loophole in Android’s security model, which can potentially affect up to 99 percent of Android devices in existence. The vulnerability is claimed to have existed since Android 1.6 (Donut), which allows malicious app developers access to modify the code of a legitimate APK, all this without having to break its certified cryptographic signature, which could mean unnoticed installation of malicious code. This exploit can be leveraged when the user downloads and installs malicious “App Update” and could allow full access of device if the malicious code was to be a System Update.
Samsung Galaxy S 4 is the only device that is immune to this bug.
Bluebox notified Google of the exploit in February. Currently Google is working on a security update for Nexus Devices. Users can stay secure from their side by relying on the Play Store and Android’s built-in system update utility for any installations or updates.