'Master key' to Android phones uncovered

"One other hurdle is that in order to catch out Android users, malicious hackers would have to get their booby-trapped version of a legitimate application on to the Google Play store"
 
Not so fast on that one... actually that can be avoided.  Tricking the customer into disabling the security of "Do not allow third party apps" would evade that.  Now I know most consumers should be smart enough to not do that... but you know that if well worded people can be tricked into a whole lot of things.  
 
HUGE hole that does need attention... but I wonder this: would the Webroot Andriod app protect against this kind of an exploit?

Not surprisingly, some information has been left out of most articles covering this.
 
"Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said."
 
https://www.cio.com.au/article/466577/vulnerability_allows_attackers_modify_android_apps_without_breaking_their_signatures/
 
As DaivdP suggested, making sure that you do not have the option to allow installation from unknown sources enabled will help protect you from this exploit.
 
Vendor and Certificate spoofing is very common among Android malware. This exploit may go beyond what is already being used, but we look at what the app is actually doing, so the digital signature doesn't mean much if the app has obvious malicious intent.
 
-Dan

Dan,

Great reply, and really just what I expected 🙂 thanks for weighing in!

Our Security Intelligence Director, @ was recently quoted in a related article on this topic.  That article is available here.

The key to mobile security is to protect devices from all sides. Consumers and businesses should ensure they have the four corners of mobile security covered: identity protection to protect passwords and other personal information; the ability to automatically block mobile threats from malware and malicious apps, an in-built device locator which helps find your mobile phone if stolen and finally the system installed should be designed to ensure the usability of the device is not forfeited in the name of security – users are more likely to ignore security protection if it hampers the rich features of their device. With these four pillars in place, you form a strong line of defense against cybercrime which will go some way to protecting against the potential threat of the “master key.”

The following article is a updated on Android Phones Bug
 
(Android bug lets apps make rogue phone calls)
 
By/ By Lucian Constantin | IDG News Service Posted on July 7 2014
 
A vulnerability present in most Android devices allows apps to initiate unauthorized phone calls, disrupt ongoing calls and execute special codes that can trigger other rogue actions.
The flaw was found and reported to Google late last year by researchers from Berlin-based security consultancy firm Curesec, who believe it was first introduced in Android version 4.1.x, also known as Jelly Bean. The vulnerability appears to have been fixed in Android 4.4.4, released on June 19.
 
InforWorld/ Full Read Here/ http://www.infoworld.com/d/security/android-bug-lets-apps-make-rogue-phone-calls-245669