The security research team at Bluebox Labs has discovered a threat that affects 99% of Android mobile devices:
"... a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user...."
Clearly, this threatens both consumers and employers because many employers allow employees to use their devices for work. Why users of Android devices should be concerned:
"... this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access. Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these “zombie” mobile devices to create a botnet."
Read the Bluebox Labs article to learn more about the technical details of the threat, which was presented at the Black Hat USA 2013 conference. The company advises consumers to, a) use caution and identify the app's publisher before downloading a new app; and b) update your devices (e.g., operating system, browser, anti-virus software).