You really didn't think that my first story in over a month would be good news did you?!? Researchers at Bluebox have discovered a security vulnerability within Android that could allow malicious code to infect nearly any app on your device. In a nutshell, Android allows for a variety of security certificates that verify the authenticity of an app, including self-signed certificates that aren't issued by a digital certificate authority. However, there is another type of certificate, referred to as a hard-coded certificate, that gives the associated app elevated permissions, such as the ability to inject code into other apps. The main three that have been referenced that use this type of certificate are Adobe, which most likely uses this to allow Flash to act as a plug in for other apps; 3LM, which is a service used on Motorola, Sony, HTC, Samsung, and LG devices among others that can install apps and control system settings; and Google Wallet, which uses the hard-coded certificate to provide secure access to NFC. The problem is that Android does not verify the authenticity of the security certificates that act as intermediaries between the apps in which code is injected and the original hard-coded certificate that allowed the code to be injected in the first place. So essentially, an attacker can sign a malicious app with a security certificate that appears to be signed by the original hard-coded certificate but actually isn't, and this will never be cross-checked by Android. The bottom line is that this is yet another way in which an attacker can gain full access to your device and steal your personal stuff. Google says they have released a patch to address this, with Motorola being the only manufacturer that has begun to push the patch out so far. More details about the vulnerability, as well as a link to an app that can determine if your device is vulnerable, can be found
.
Source: PCWorld.com