IT security firm Bluebox unearthed a critical security hole in Android, which allows hackers to gain control over a device. The flaw existed way back since Android 1.6 "Donut," and affects over 99 percent of all devices running the operating system. The only device Bluebox mentions to be immune is Samsung Galaxy S4, due to its restrictive SELinux implementation.
A flaw was found in the implementation of the package-manager that Android uses to install third-party apps. This flaw allows malware developers to modify the contents of a *.apk package, without affecting its cryptographic signature, so malware masquerading as legitimate apps get installed without a hitch. System software, such as updates, are also distributed in .apk packages.
Bluebox said it contacted Google with its findings, and claims that Google is working on an update for its Nexus devices. Google, on the other hand, has no comment on the matter. We're fairly certain that the only way to patch this hole is for device manufacturers to release updates for each of its Android devices since "Donut." There's no record of malware that took advantage of this flaw, which brings up the hypothetical question. Is a security flaw a flaw only after it's discovered?