The latest Android security flaw could have allowed an attacker to take over the device’s battery and get access to sensitive information, a security researcher has warned.
The flaw is likely to have been discovered by researchers from Kaspersky Lab who found a malicious application that could enable a user to install a malicious version of the Android operating system on a device without the user’s knowledge, according to security firm Trend Micro.
The problem, known as Android M, was discovered in March and has only been known to affect devices running Android 5.0 Lollipop.
However, it has also been found on devices running newer versions of Android and other versions of the operating system.
“As a security expert, it is a huge surprise that Android M has not been identified in the wild,” Kasperski Lab’s Dr. Kostas Kostopoulos told The Associated Press.
“We’ve known for some time that this flaw existed in Android M devices, but it’s now clear that the vulnerability can be exploited by malicious apps.”
The flaw was discovered when Trend Micro researchers installed a malicious Android app on a Google Pixel 2 smartphone with Android 5 and Android 7.0.0 Marshmallow operating systems.
The app, dubbed Android M2, installed an update to the app that caused it to download the malicious app.
“Android M2 has been identified as an exploit by several of our malware analysis customers,” Trend Micro said in a blog post.
“Android M 2 has the capability to install malicious code and take control of a device’s processor, memory, camera, keyboard, microphone, camera shutter, GPS, Bluetooth, NFC, and more.”
The Android M app also included a malicious update that allowed it to “unmask” a device by identifying the device manufacturer, the app’s version, and a “keyword.”
“Once this update was installed, a malicious program can be installed on a victim’s device without its knowledge,” Kostoski said.
“This malicious app has the ability to access the device without permission and execute arbitrary code on the device.
It can then execute malicious code on other devices that are running Android Marshmallow.”
The AP contacted Google for comment and will update this story if we receive a response.
Google declined to comment on the report.