You may have heard about a pretty scary bug discovered by Bluebox Security that affects 99% of current Android devices. The gist of the exploit involves repackaging a signed application, say one that you’d download from Google Play, with malware, but the security payload itself would be identical to the original.
No Android devices have been affected as yet, and Samsung has already patched the issue in its Galaxy S4 flagship, but practically every other device, from Android 1.6 to 4.2.2, is vulnerable to the issue. Android Central’s Jerry Hildenbrand gives a great overview of the bug and how to prevent it from affecting your phone, though the gist is simple: don’t, under any circumstances, sideload software from outside Google Play. While software uploaded to Google Play has been found to contain malware before, it’s not possible to take advantage of this particular exploit when distributing through the official channels.
Google confirmed recently to ZDNet that it has patched the exploit and submitted the corresponding code to its manufacturer partners. Now all that’s left to do is get the OEMs such as Samsung, HTC et al. to schedule minor updates with their own carrier partners like Rogers, TELUS and Bell to fix the issue. That alone has been the bane of users’ existence for years, so it’s unlikely many older phones will ever see the aforementioned bug fix; newer devices will likely see it lumped into larger software rollouts.
Now we wait.