Android has a dangerous new security flaw that could allow malicious apps to gain access to things on your phone that you never intended them to. BlueBox security firm released its new findings today, showing a way that hackers could get into to your phone by impersonating a trusted app. We hear about security issues all the time, so let’s take a closer look and see if this latest one one that you should be worried about.
The bug comes from the way that the Android package installer verifies digital certificates. Digital certificates are basically a watermark or signature on an app that verifies its publisher. The issue is that Android doesn’t check with the publisher to make sure that the app that’s being installed is legitimate. A malicious app could mimic the certificate of a legitimate app and fool an Android device into thinking that the app has the permissions and hardware access of a legitimate app.
We basically discovered a way to create fake ID cards. There are different vectors. They all come down to: I can create a fake ID card. The question is, which fake ID card do I create?Jeff ForristalBlueBox
Such a flaw presents a serious threat to security, as the bug isn’t limited to any one app. A payment app such as Google Wallet or Paypal could be taken advantage of and hackers could gain access to personal financial and security data. Even remote device management software could be fooled, thus allowing hackers nearly full control of your device.
BlueBox concluded its report in March and immediately sent the results over to Google. In April, the Android security team developed a fix and sent it out to manufacturers. Manufacturers then had 90 days to implement the fix before BlueBox let the world know about its findings. BlueBox, however, has tested 40 major Android devices, and knows of only one manufacturer who has implemented the fix.
While the bug is out there, Google has reported that it’s scanned all the apps within Google Play as well as others not in the store that have been reviewed by Google. Fortunately, the method hasn’t been used for exploitation yet, but with the news now public, it’s really only a matter of time until someone tries it. With Google on the case, hopefully it can watch apps and prevent any from causing too much havoc.
What does this all mean for you? At this point, it seems that you’re not in much real danger. Google is on the lookout and manufacturers have a fix available to them that will likely be rolled out to more devices in light of the news becoming public. But, as you should always do, keep your eyes open and be smart. If an app appears suspicious, think twice before downloading it. It could cost you more than you think.