“There's a big difference between ‘hackers can control almost any Android phone’ and ‘hackers can control almost any Android phone after its user has installed a piece of malware” iTWire contributor Stephen Withers said.
Fact: The vulnerability could allow data theft or hijacking of almost all Android devices ONLY IF they install a ‘trojanised’ app. In order to do this Android must be rooted. There have been no instances of this vulnerability reported to Google in February, having been exploited.
“If you read what Bluebox had to say it appears that the vulnerability is not itself an issue as long as the user doesn't install a Trojanised app” he said.
Google has made sure that apps that exploit the issue do not get into Google Play. Yet another reminder that Android is open source and Google can only check apps in Play for their pedigree.
This issue is a wider part of the risk of using the Android ecosphere. With the fragmentation (number of older versions of Android) and the heavy customisation that handset makers do it is almost impossible for Google to issue global security patches for fear of breaking Android on more than 1 billion Android handsets comprising more than 4,500 different model.