Code injection
Another big security risk is a code injection. Code injections happen when a piece of software is deliberately modified to insert a module of code, generally malicious, that performs an unintended operation. These unintended operations can range from data stealing, to user surveillance among others. Hence, in this particular case, it is particularly important that applications are signed. An application that has been signed from a trusted manufacturer will not contain injected code.
Georgie Casey, an Irish engineer, proved in an article in 2013 a scary proof of concept. He decompiled SwiftKey, the award-winning keyboard for Android, and injected a piece of code that logged all the keystrokes and sent them through a web service connected to a public website, where they were displayed. The point was to prove that anybody could have done this and upload the manipulated APK to one of the alternative stores. A person looking for a free APK could have downloaded it and used it, sending...
