Google I/O 2021 Google, Samsung watch partnership Eurovision 2021 Google I/O swag Apple iMac M1 review Child tax credit calculator

Google races to close Android loophole that hijacks any app

Google has scrambled to close a security loophole in Android that could have allowed hackers to hijack any app and turn it into malware.

Google has raced to close a security loophole in Android that experts say could have allowed hackers to hijack any app and turn it into malware.

The malware experts at Bluebox Security reckon they've discovered a Master Key vulnerability in Android that could allow 99 per cent of apps to be turned into malicious Trojan software, attacking your phone or tablet.

Fortunately Google told our sister site ZDNet the hole has been patched and the solution released to hardware manufacturers to distribute to customers. Samsung is said to be one of the first to release the patched software in an update to your phone's software.

Bluebox says the vulnerability is found in the part of Android that verifies and installs apps, each of which has a cryptographic signature that gives a thumbs-up that the app hasn't been tinkered with by wrong'uns. The loophole is reported to let those wrong'uns mess with an app -- without affecting the signature.

Google is playing down the significance of the Master Key problem, reassuring phone fans that Google's security sweeps haven't seen any evidence of exploitation in Google Play or other app stores.

Mobile malware was in the news recently when a fake copy of the app promoting new album Magna Carta Holy Grail targeted Jay-Z fans. Google has software called Bouncer that sweeps Google Play looking for tampering by ne'er-do-wells, but it isn't as tightly regulated as the Apple App Store, which vets every app before allowing it in.

Be careful out there: make sure you only download apps from trusted sources, and don't agree to give apps access to anything you don't think it should be asking for.

Have you ever encountered malware that's caused you phone problems? Tell me in the comments or on our wrong'un-free Facebook wall.