• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Four-year-old bug could allow attackers steal data from 99pc Android devices

While there is no way for an infected app to reach users’ Android device if they always use Google Play (also updated) for downloading apps or updating them, the risk is very high for the users of third-party stores or consumers who install APK files from unknown sources.

This just reinforces the common-sense advice frequently given out here at AF; "Be VERY careful if using anything other than Google Play." ;)
Upvote 0
If the article wanted to be accurate and informative, it would have stated:

"While there is no way for an infected app to reach the device regardless of what operating system they are using if they always use approved stores for downloading apps or updating them, the risk is very high for the users of third-party stores or consumers who install APK files from unknown sources."

In the case of Android, I would say that only Play Store and Amazon App Store are secure. Other than that, I have only downloaded betas from the swiftkey an swype official sites
Upvote 0
Since it isn't about the Razr in particular and more about general Android, I have moved this topic to the Android Lounge. One thing that might settle you nerves is a quote I found from another article about the exploit:

The good news, according to CIO, is that Google has fixed the Google Play app store so that it will not allow apps that are vulnerable to the flaw. But apps downloaded from non-Google third parties remain vulnerable
Upvote 0
"Update: According to a report in CIO, Google has already modified its Play Store’s app entry process so that apps that have been modified using this exploit are blocked and can no longer be distributed via Play."

they have yet to remove placebo/fake apps which do nothing except waste your time and battery energy as you shop the play store. Google does a "D" grade job of policing the play store, in my opinion.
Upvote 0
Seems that a new Android vulnerability has been found that affects 99% of 'droids and could make your phone open to anything from snooping to a complete take over :eek:

All Android apps contain a crytographic signature that ought to be invalidated if a legitimate app is tampered with - e.g. 'infected' with a virus - after distribution. Your phone checks the signature and will refuse to install an app if it's signature is invalid.

This vulnerability means that the apps can be amended without invalidating the signature which in turn means that kosher apps can be 'infected' with dodgy code and your phone will happily install them.

Unfortunately, individual manufacturers will need to fix their firmware and distribute the fix to all phones running any version of Android from 1.x on - good luck anyone with a non-current phone :eek:

On the upside, Google have fixed Play so no infected apps can be distributed from there which means that, so long as you avoid 3rd party app stores, you should be - relatively - safe.
  • Like
Reactions: funkylogik
Upvote 0
From the verge article:

"How that distribution would actually occur is still theoretical. Exploiting via Google's Play Store isn't possible, since Google has already updated the platform. But a user could still be tricked or lured into installing a bogus update through other avenues, including third party app stores, phishing emails, or malicious websites."

Really? Theoretical flaws get real articles? What's next? In theory an Android phone can't survive a direct hit from a nuclear missile?

Four year old Android bug could allow malicious apps on '99 percent' of devices | The Verge
Upvote 0


We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.