Up to 900 million devices running Android could be affected by a new vulnerability which would allow cybercriminals “full control” over affected handsets, Bluebox Labs has warned.

The vulnerability exploits “cryptographic signatures” used to verify Android apps - allowing cybercriminals to modify apps with malicious code undetectably, Bluebox claims. This could “turn any legitimate application into a malicious Trojan,” the security company’s CTO Jeff Forristal warned in a blog post.

The vulnerability could be used for everything from data theft to the creation of mobile botnets, Forristal says. Forristal claims the vulnerability affects every Android device since Android 1.6 - up to 99% of Android devices.

“This vulnerability makes it possible to change an application’s code without affecting the cryptographic signature of the application – essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been,” says Forristal.

ESET Senior Research Fellow David Harley says, “Security based on application whitelisting relies on an accurate identification of whitelisted (approved) applications using a cryptographic signature: a sort of electronic fingerprint that represents various identifying characteristics in a brief and hopefully unique form. For instance, this SHA1 hash represents a malicious program that ESET detects as Darkleech: 8f20fb5a1ce55a7ec8c50c0e8ed11bf775138223.”

“If an Android user tries to install an app that doesn't have the correct cryptographic signature, the installation should fail, and a fake/malicious app shouldn't be able to cause any damage. What the problem that Bluebox has flagged actually is won't be clear until their presentation at Blackhat, or maybe not even until Google has fixed the problem in the Android code, but it seems that they've found a way of modifying an application's code without changing its cryptographic signature, so that a malicious app masquerading as a whitelisted app could be verified incorrectly and installed.”

“That can only happen if (a) the vulnerability is as dangerous (i.e. as universally applicable) as Bluebox have reported (b) some miscreant has discovered the same flaw independently and chooses to exploit it. It's been suggested that the possibility of this actually constituting a danger to the public is low because the malicious app would have to be approved by to get it onto Google Play. Two things: (1) it's not unknown for malicious apps to get onto the Google Play store (2) Google only validates apps that are submitted to Google Play: however, whereas iGadget users can only install apps from Apple's App Store unless they jailbreak the device, there are a number of legitimate repositories that Android users can shop from, and apps from those sources are not necessarily validated at all.”

The fragmented nature of the Android market could also mean the problem is long-lasting, warns ESET Senior Research Fellow Righard J. Zwienenberg.

“The biggest problem for consumers is the enormous number of old phones running Android that are still in use, for which the operators will not release a new version,” says Zwienenberg. “I'd estimate that at least a third of phones still run the very popular, but out-dated, Gingerbread Android platform. Regardless of whether Google releases patches for these  versions, the phones will remain vulnerable.”

“More recent models, like the Samsung Galaxy S3, Galaxy S4 or the HTC One, will most likely be patched. But the question is when? Even if Google is updating the stock Androids, manufacturers and operators also need to be involved to ensure all round protection.”

“Different obfuscation techniques can be deployed to bypass Google Security spotting it and getting malicious code via Play Store on the phone. And once downloaded onto a phone these can create havoc for the user and their phone bill.”