Android is not popular for its security implementation, as many security analysts and competitors have pointed out. The world’s most used mobile OS, it seems has had a major vulnerability since the last four years (since 1.6 or Donut). This exploit allows malicious hackers to change an .apk (android package file) without changing its cryptographic signature. What this means is that anyone can easily bypass all the security process and put a trojan inside an Android app.
The exploit, named Android security bug 8219321, was discovered by Bluebox Security. The bug was reported to Google in February 2013. However, it seems the onus is on device manufacturers to patch this bug and it probably hasn’t been done yet. The exploit takes advantage of the way in which Android apps are verified and installed to make it possible to go ahead and modify .apk code. The cryptographic signature of any app is used to verify it as coming from a legitimate source. As the exploit doesn’t break the cryptographic signature, any modifications made to the .apk will be ignored so long as the Android system is convinced that this app is coming from a verified source.
The company has also given an example about how they completely took control of a HTC phone by using the exploit. The security bug allows hackers to gain access to any/all permissions on the device and makes extensive modifications. Bluebox says that this could be used to run a malicious botnet without the user ever being aware that their phone has been compromised.
Source | Bluebox Security
Image Source | WMPoweruser