* If you have enabled ‘Allow Unknown Sources’ in the settings menu to allow side-loading of APKs, pressed OK through the warning it gives you about potential security risks, AND you have downloaded a malicious APK from a third-party source and installed it, then you might be vulnerable. If you haven’t enabled this option, then don’t worry. Keep on keeping on.
* The vulnerability cannot be exploited by any apps downloaded from the official Play Store. It has been patched since it was revealed in February. This means for the vast majority of people, it’s business as usual.
* The exploit is fairly niche in that it cannot be performed if you’re in proximity to somebody (unlike, say, a wifi-spoofing MITM attack on iOS). It requires the end-user to take active steps to initiate the malicious program.
What I found entertaining was the amount of fear-mongering that some click-baiting ‘news’ sites generated, especially the more tabloid oriented ones. There were claims that all Play Store apps were affected, there were calls to immediately remove all apps from phones (thereby rendering them next to useless), mostly from non-tech ‘journalists’ who didn’t bother to spend a few minutes on researching the topic.
The sad thing is, this helps nobody – the methodology hasn’t been explained or verified in detail, and it causes non-technical end users to panic and do stupid things for no reason. But hey, why let the truth get in the way of some juicy headlines?
It’s also worth noting that Bluebox is a VC-funded security-focused startup that sells security packages. All the same, on the bright side – this is how it should be – exploit is found, vendor is notified, exploit is demonstrated (in this case it will be demonstrated at Black Hat 2013).