Tell me you've heard this one before - ANDROID SECURITY HOLES (again)... your phone is vulnerable if you use apps.. (sigh)..

Here's the article..

From INFOSecurity Magazine just published

Attackers are able to modify apps in an undetected way, without affecting their signatures.

The flaw (CVE-2017-13156) allows a file to be a valid APK file and a valid DEX file at the same time, according to Guard Square, which has named it the Janus vulnerability, after the Roman god of duality.

Quote When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update. Nefarious types can leverage the Janus issue to prepend a malicious DEX file to an APK file, so that Android will accept the APK file as a valid update of a legitimate earlier version of an app. However, the code is loaded from the injected DEX file.
ooooooops....

"Depending on the targeted application, a hacker can access sensitive information stored on the device or take over the device completely.

"Alternatively, an attacker can pass a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications. The cloned application can look and behave like the original application but inject malicious behavior."

The Janus vulnerability affects recent Android devices (Android 5.0 and newer). Google has released a patch to its OEM partners.

As pointed out before, getting other vendors using the ANDROID OS to update is not the easiest thing.. If you have that phone, with Android 5 or newer, be sure to take a look to see if you can get the fix.