Cybersecurity firm Trustwave claims to have identified a flaw in Google Play's security filter that allows a verified app to be updated with malicious code, according to CNET. The problem lies with Google Bouncer, the automated system that inspects newly submitted apps for incriminating code or functionality. Trustwave submitted a contact blocking app called SMS Blocker to Google for verification and, because it was legitimate and fully functional at the time, Bouncer let it through. However, using its special cloaking technique, Trustwave was able to update SMS Blocker 11 times with code that enabled it to peek at user photos, contacts, phone records, and even launch malicious websites.
While Android malware has appeared in the past, most have required some kind of user interaction. Trustwave's technique needed only to be installed with its legitimate base and then updated with the cloaked malicious payload, resulting in almost full control of the device. Trustwave's researchers are presenting their technique tomorrow at the Black Hat security conference, and we're sure that Google will be listening very intently.