SHARE
Secruity research firm BlueBox finds Android “master key” exploit.

As I sit here and check the news on my Android phone whilst writing up a post on my Chromebook it’s safe to say I’m a fan of Google and their tech ventures. Whenever I see an article or a piece of news that says anything other than good things about Android or Google I tend to turn a blind eye. So when I saw the news that I’m about to write about I really wanted to ignore it, but I guess I can’t really, I have to be impartial about these things. Dammit.

So the news is this; Security research firm BlueBox has recently found an exploit which allows ‘hackers’ (a term I’ll use loosely) to gain access to your Android device and do whatever they wish with it, but is it as serious as everyone’s making out it is?

The exploit involves something to do with the way Android verifies whether an app or game is legitimate and to assure it’s not been tampered with or contains ‘malware’ (another term I’ll use loosely). Jeff Forristal the CTO at BlueBox and his team have found a method to trick this verification cryptology in order to sneak apps containing this malicious software so they go unnoticed.

“It can essentially take over the normal functioning of the phone and control any function thereof,” wrote Forristal on the BlueBox Blog.

Now I’m no Android expert – really I’m not, so what I’m about to say is based purely on my own opinion. First and foremost Forristal and his team do this for a living, they work day in and day out searching for exploits in various pieces of software – they’re experts at what they do and know how and where to look – chances are someone who wants to actually do this for malicious reasons is most likely going to be a lone wolf with probably half of the expertise than an entire security research firm.

Secondly If said “hacker” manages to create a legitimate looking app with the malicious exploits within, they would then need to distribute the app accordingly – one of the main gates he’ll need to overcome is getting his app onto the Google Play store as mentioned by Dan Wallach to Ars Technica. The only real way a “hacker” could easily distribute this app is via online portals, this brings me onto my third point.

Don’t download APK’s from anywhere but the Play Store or from a trusted developer’s website. If you’re downloading pirated APKs because you don’t want to spend £0.69 on a particular game, you deserve what you get quite frankly. The same common sense that you should be using on your PC applies to most smartphones. If you go around to the dodgy corners of the internet looking for a file that might not be legitimate, chances are it’s not.

So yes, though the exploit is bad and Google seem to be doing nothing about it, I believe that it can only really affect people that go looking for trouble in the deep dark corners of the Internet. Google do a fantastic job at not letting too many malicious apps onto their Play Store – granted there’s been a few, but on a whole they do a good job so personally I don’t think there’s anything to worry about.

I’d love to know your thoughts! Leave a comment below.