The majority of Android devices currently in use contain a vulnerability that allows malware to completely hijack installed apps and their data or even the entire device.
The core problem is that Android fails to validate public key infrastructure certificate chains for app digital signatures, said Jeff Forristal, chief technology officer of Bluebox Security, a San Francisco company whose researchers discovered the issue.
According to Google’s documentation, Android applications must be signed in order to be installed on the OS, but the digital certificate used to sign them does not need to be issued by a digital certificate authority. “It is perfectly allowable, and typical, for Android applications to use self-signed certificates,” the documentation says.
However, Android contains hard-coded certificates from several developers so it can give apps created by those developers special access and privileges inside the OS, Forristal said.