Researchers at security firm Bluebox Labs have found a bug in Android allows malicious software disguised as an app has been authenticated. Bluebox Labs says that this vulnerability has emerged from the Android 1.6 "Donut", that is, four years ago, and affects the "99%" devices running Android. Typically, the application will be authenticated by a digital signature is encrypted, so the update is not due to the release of programmers (ie other than the app lock code base) installation will be rejected. But the Bluebox, they have discovered a way to change, modify apk files without having to unlock the above signature. This is something that hackers can exploit to install malicious code on the device, as long as the hackers figure out how to install that package distribution to consumers.
Taking advantage of Google Play Store to distribute and install the modified app is not feasible because Google has updated the app store to prevent this happening. But if users install software from third-party app stores, or manually download and copy to install on the machine, then the risk of malicious code through the sticky above error is real. If a user were tricked into opening the email or website that contains malicious code, the same thing could happen. Once the attacker has installed its malicious code, he can full access to your system, since it steals data (email, SMS, documents), is the password to extract all of the services are logged on and turn Android devices into a botnet. Yet, malware can also make calls, texting, taking pictures and recording unauthorized without the user's knowledge.
Bluebox adds that this error has been sent to Google in February this year, but the date depends on the device manufacturer. CTO Jeff Forristal said of the Samsung Galaxy S4 Bluebox has been patched vulnerabilities, however strange the Nexus line has yet to be updated. Users no longer be updated from the manufacturer, such as the HTC One S, for example, will even have to face more risk.