Lest you think Facebook is the only security punching bag getting a beating lately, two significant flaws in the Android application platform have been revealed by overseas security teams. Without going into the gory details, each team has found a different way to create a trojanized APK (the file format in which Android apps are delivered) that is indistinguishable from the original. This would allow an app to appear and function normally, but also execute functions like transmitting your passwords, texts, emails on the sly. Google has already put together a fix and distributed a patch to OEM manufacturers, and supposedly they are able to detect this sort of exploit on the Google Play Store.
You need to worry if you “sideload” apps on your Android phone, which is to say you get apps from sources other than Google Play. Keep in mind, even Amazon’s App store counts as a sideloading source, and as of the moment, they aren’t scanning for this vulnerability.
What this means for you:
Even though Google has issued a fix for this particular vulnerability, they can’t force the update upon the millions of Android phones out there affected by this weakness, as that task lies with the phone manufacturers and the carriers. With the exception of avid power-users, most Android users are unaware that their Android OS may be months or years out of date, primarily because cellular carriers insist on selling phones that use a modified version of the OS that does not automatically get updated when Google updates the core version of Android. On top of this, the carriers are notoriously slow in issuing updates. If you are wondering what folks are talking about when they are discussing “Gingerbread”, “Honeycomb”, “Ice Cream Sandwich” and “Jelly Bean”, they are referring to the various versions of Android OS, where Jelly Bean is the latest. Supposedly this exploit exists as far back as “Donut” (ver 1.6).
Even worse, certain older models of Android phones may never get updated, as the carrier has essentially abandoned firmware updates for phones that are “retired” from active support. Users of these phones have essentially two options: root, unlock and update the phone with a custom version of the Android OS developed by the open source community, or buy a new phone. The former option is definitely not for technically-disinclined. Given the gravity of the vulnerability, the carriers may issue patches for the majority of its phones, but I wouldn’t hold your breath.
Until you are able to verify your Android smartphone is running a version of the OS that fixes this vulnerability, don’t sideload applications. If you want to be extra safe, avoid using smartphone apps that transmit sensitive information like banking passwords, pins and other sensitive personal information. As I’ve reiterated before, exercise caution before convenience, especially when it comes to protecting yourself.