Less than a month after researchers at Bluebox Security uncovered the biggest Android security hole to date, Symantec has spotted two malicious apps that are taking advantage of this major crack in Android’s foundation. Essentially, the vulnerability found by Bluebox theoretically allows hackers to change mobile applications’ codes without breaking the cryptographic signature that’s needed to verify an app’s legitimacy. In other words, the vulnerability could give hackers free rein to transform any app into malware. To make matters worse, Bluebox says that this problem has existed since at least Android 1.6, which means that the vast majority of Android devices are vulnerable to malware-producing hackers.
Symantec says so far that’s it’s found two mobile apps in China whose code has been rewritten by hackers to let them “remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands.” Google has issued an official patch for this major Android security vulnerability but since it’s being distributed through OEMs there’s no timetable for when many devices will be able to download it.