I know many of you peruse the internet far and wide, and you may come across [a href="http://www.theverge.com/2013/7/3/4491862/four-year-old-android-bug-affects-99-percent-of-devices"]this article[/a] regarding a 4 year old bug that has been found in Android.
The information in the following pieces of information are derived from [a href="http://www.androidcentral.com/making-sense-latest-android-security-scare"]this article[/a].
TLDR about the bug:
Android apps are signed with cryptographic keys. Changes made to an app alters the key, until it is signed again. Unless the keys between the new and incumbent versions of the app match, no overwrite can occur. The BlueBox security team (a white hat organisation) found a way to make changes to an app without altering the key in the first place, essentially bypassing the need for re-signing the app and allowing an overwrite.
TLDR about the implications:
A malicious agent can, in theory, change an app without altering the key, injecting some malicious code into it. It can then covertly overwrite the incumbent version on your phone, giving it unfettered access to everything on your phone.
TLDR about what you need to do:
You need to evoke the same, absolutely cardinal, security measure that you do with your personal computer: don't be a bloody idiot and be sensible about what you download.
Going into settings -> security and unchecking the "allow unknown sources" box will ensure that your device will only install apps from the Google Play store. If you're running a device with Jellybean (4.1) or higher, then also check the "verify apps" button, too.
Only downloading your apps from Google Play (that has it's own server-side screening processes) guarantees your device's safety. If that's not an option as you engage in sideloading apps or downloading from other sources (such as Amazon), then your device's safety is not guaranteed. Just make sure you can absolutely trust the vendor of any non-Google Play acquired app you come into contact with.
Google and the OEM's will be working towards a fix in the near future, so keep your ear to the ground regarding updates for your device.
Last notes:
No matter what some people will tell you, this isn't a time to break out the tinfoil hats. Continue as normal and stay safe as you always would do. This bug is four years old, and Android hasn't been brought down quite yet, so it really isn't as bad as what some sites would have you believe.
The information in the following pieces of information are derived from [a href="http://www.androidcentral.com/making-sense-latest-android-security-scare"]this article[/a].
TLDR about the bug:
Android apps are signed with cryptographic keys. Changes made to an app alters the key, until it is signed again. Unless the keys between the new and incumbent versions of the app match, no overwrite can occur. The BlueBox security team (a white hat organisation) found a way to make changes to an app without altering the key in the first place, essentially bypassing the need for re-signing the app and allowing an overwrite.
TLDR about the implications:
A malicious agent can, in theory, change an app without altering the key, injecting some malicious code into it. It can then covertly overwrite the incumbent version on your phone, giving it unfettered access to everything on your phone.
TLDR about what you need to do:
You need to evoke the same, absolutely cardinal, security measure that you do with your personal computer: don't be a bloody idiot and be sensible about what you download.
Going into settings -> security and unchecking the "allow unknown sources" box will ensure that your device will only install apps from the Google Play store. If you're running a device with Jellybean (4.1) or higher, then also check the "verify apps" button, too.
Only downloading your apps from Google Play (that has it's own server-side screening processes) guarantees your device's safety. If that's not an option as you engage in sideloading apps or downloading from other sources (such as Amazon), then your device's safety is not guaranteed. Just make sure you can absolutely trust the vendor of any non-Google Play acquired app you come into contact with.
Google and the OEM's will be working towards a fix in the near future, so keep your ear to the ground regarding updates for your device.
Last notes:
No matter what some people will tell you, this isn't a time to break out the tinfoil hats. Continue as normal and stay safe as you always would do. This bug is four years old, and Android hasn't been brought down quite yet, so it really isn't as bad as what some sites would have you believe.