The code was discovered by research firm BlueBox. It has warned that criminals could use it to do what ever they want on an Android phone. That includes steal data, evesdrop or use it to send texts to premium rate numbers.
According to BlueBox, the code has been present in every version of Android since its release in 2009.
Google has so far not commented on the discovery.
BlueBox’s Jeff Forristal has said that the implications of the ‘master key’ could be huge.
Describing the code as a bug, it says it exists because of the way Android handles cryptographic verification – specifically how it checks to see if software installed is genuine and has not been tampered with.
Forristal said that his team had found a way to trick Android into thinking it had already checked that the software was genuine. This means any changes to the code – malicious or not – would continue to go unoticed.
Any app written to take advantage of the bug would have the same access to the phone as a legitimate app.
Unlike with iOS, Google allows its developers to access the very core of Android. This means that a malicious app could access and take over any function of the phone.
“It can essentially take over the normal functioning of the phone and control any function thereof,” Forristal wrote on BlueBox’s blog.
He said that BlueBox reported the bug to Google in February.
Forristal will present more information about the bug at this year’s Black Hat hacker conference, due to be held in August.
The issue is made more siginficant because of the length of time the bug has existed for. Any update would have to be issued to every Android phone ever released to protect them from this bug.
Just this week, HTC announced that it would no longer be issuing updates for its HTC One S smartphone. It is the latest in a long line of phones that are just over one year old that no longer receive updates.