Owners of smartphones powered by Google’s Android have not had a great time of it of late, especially if they’re the kind of users that worry about security. First, news came that a potentially major Android security flaw had been unearthed, leaving the vast majority of Android devices vulnerable. Good news followed in that Google was aware of the issue and had even managed to get a patch out to carriers and OEMs. Great stuff.
The problem is that now, just three short days later, it would appear that a new and similarly hefty security problem has befallen Google’s mobile operating system. Again, this one has already been patched by Google, though users are now reliant on their carriers and hardware makers pushing that patch out to their devices.
This latest security vulnerability to befall Android has actually been discovered via one of Google’s own fixes, which is good in that we know that it’s already been plugged. Google pushed the fix to its Android Open Source Project, or AOSP, on July 3rd but did so silently. According to the source that discovered it, the bug and its fix receive no mention other than to say that "Values in zip files are unsigned." Cryptic and suitably unclear, Google doesn’t go into details about either the bug or its fix, but that same source has done some digging and it appears that malicious code could be run in a similar way to the recently announced Master Key exploit.
There’s no word as to whether Google discovered this security flaw or whether anyone else did and then informed the company without going public. The end result is still the same though, and a fix is beginning to filter into the wild regardless. It does however mean that two potentially big security flaws have been found in Google’s mobile operating system within a matter of days or weeks. With Android being far from new to the world, the fact that such vulnerabilities are still being discovered may be disconcerting to its users.
If you’re still uncertain about your device’s security and are boasting an Android device, it’s a good measure to install apps which take care of security. Also, give Bluebox Security Scanner for Android a shot to check whether your device is affected by the Major Key exploit or not.
(Source: AndroidSecuritySquad [Google Translate])