According to Jeff Forristal, CTO of mobile security startup Bluebox Security, the Android phones that some hold so dear to their hearts, actually come with a flaw.

It has been reported that 99%, or nearly 900 million Android phones released in the last four years could contain a “master key” defect. This imperfection leaves Android apps vulnerable to hackers that can turn an app into a harmful Trojan with the modification of APK codes.

Here’s how Bluebox explains it:

Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet.

In better news, CIO reports that Google has fixed the Google Play app store, so it will not allow flawed apps to be an option for download – however apps from other sources are still vulnerable.

Bluebox advises the following:

• Device owners should be extra cautious in identifying the publisher of the app they want to download.
• Enterprises with BYOD implementations should use this news to prompt all users to update their devices, and to highlight the importance of keeping their devices updated.
• IT should see this vulnerability as another driver to move beyond just device management to focus on deep device integrity checking and securing corporate data.

[Source: TechCrunch]