A new security risk has been identified in Android, which apparently allows malicious apps to pose as being ones from trusted sources, according to The Guardian. The flaw has been named ‘Fake ID’ by security company Bluebox Labs, who discovered it recently.
However the flaw has already been patched in the Android KitKat update, but according to statistics it could still affect millions of devices, since Google’s figures show that 82.1% of Android devices have not yet been updated to the newest version. Google plans to force most devices to use the software soon, so hopefully this will help to eliminate Fake ID risks.
The flaw lies in the ‘identity’ of each app uploaded to the Android Market. Apps have their own cryptographic identifier key, which is distributed to an apps which has been confirmed to be genuine as part of a security certificate. Security certificates go along a chain of trusted parties, with each contributing to verifying the apps identity.
The security certificate chain works by comparing ‘parent’ and ‘child’ certificates, the parent being the original certificate from the app’s creator, and the child being the certificate assigned to the downloaded copy of the app. These certificates must match to pass security checks and issue identifier keys.
However, Bluebox believes that there aren’t enough checks being carried out on this system, which is supposed to be foolproof. Some certificates allow apps to do certain things, like open a web viewer, meaning that by merging genuine and corrupted certificates together, malicious apps could bypass security on older devices by allowing certain programs or webpages to run.
These Fake ID’s can be used to distribute malware, but also attack financial data by mimicking Google Wallet permissions, Bluebox said.
Google were quick to encourage their users to remain calm in a statement on Fake ID;
“Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,”
A patch for current versions was issued immediately after Bluebox’s discovery, meaning if you’re up to date you’re safe from this new threat.
To find out more, check out the source link below, which gives a more detailed description of how Fake ID works.
Source and more info: The Guardian