Jul 29 AT 4:46 PM Nick Sarafolean 5 Comments

Android’s fake ID security issue and what it means for you

hacker Image via: altemark with Creative Commons

Android has a dangerous new security flaw that could allow malicious apps to gain access to things on your phone that you never intended them to. BlueBox security firm released its new findings today, showing a way that hackers could get into to your phone by impersonating a trusted app. We hear about security issues all the time, so let’s take a closer look and see if this latest one one that you should be worried about.

The bug comes from the way that the Android package installer verifies digital certificates. Digital certificates are basically a watermark or signature on an app that verifies its publisher. The issue is that Android doesn’t check with the publisher to make sure that the app that’s being installed is legitimate. A malicious app could mimic the certificate of a legitimate app and fool an Android device into thinking that the app has the permissions and hardware access of a legitimate app.

We basically discovered a way to create fake ID cards. There are different vectors. They all come down to: I can create a fake ID card. The question is, which fake ID card do I create?Jeff ForristalBlueBox

Such a flaw presents a serious threat to security, as the bug isn’t limited to any one app. A payment app such as Google Wallet or Paypal could be taken advantage of and hackers could gain access to personal financial and security data. Even remote device management software could be fooled, thus allowing hackers nearly full control of your device.

BlueBox concluded its report in March and immediately sent the results over to Google. In April, the Android security team developed a fix and sent it out to manufacturers. Manufacturers then had 90 days to implement the fix before BlueBox let the world know about its findings. BlueBox, however, has tested 40 major Android devices, and knows of only one manufacturer who has implemented the fix.

generic security lock

While the bug is out there, Google has reported that it’s scanned all the apps within Google Play as well as others not in the store that have been reviewed by Google. Fortunately, the method hasn’t been used for exploitation yet, but with the news now public, it’s really only a matter of time until someone tries it. With Google on the case, hopefully it can watch apps and prevent any from causing too much havoc.

What does this all mean for you? At this point, it seems that you’re not in much real danger. Google is on the lookout and manufacturers have a fix available to them that will likely be rolled out to more devices in light of the news becoming public. But, as you should always do, keep your eyes open and be smart. If an app appears suspicious, think twice before downloading it. It could cost you more than you think.

Source: Bloomberg Businessweek

A nerd at heart, Nick is an average person who has a passion for all things electronic. When not spending his time writing about the latest gadgets, Nick enjoys reading, dabbling in photography, and experimenting with anything and everything coffee. Should you wish to know more about him, you can follow him on Twitter @nsarafolean.

    Most Tweeted This Week

  • SGB101

    It seems this new flaw is 4 years old! And has been known to google for a long time. Steve Gibson covered it in last night’s scarcity now.

  • Terry Wilcox

    There is now a excellent solution to stop malicious or fake apps performing malicious or fraudulent actions on the device such as stealing passwords, transmitting data, etc called CheckMyApps. It would prevent this type of problem even with the security hole in Andriod. It has just been identified by Gartner as a visionary (available around the World through http://www.growyellow.com). This advanced security solution validates the operations of all app on the device to checks for any malicious actions or behaviours thereby offering complete protection for the user — not just a single app that has been ‘hardened’. There is a corporate edition with full MDM type function or a free personal version. Contact me if you need more details then email me at twi[at]growyellow{dot}com

  • HectorPA

    Just what I’ve been saying ——– everybody who jumps on the remote house control wagon could potentially have their homes robbed by someone with one of these fake apps. Alarms, cameras, locks — all can be defeated while you’re blissfully unaware. “Smart” phones , dumb users.

    • Tma

      the same way u shouldn’t drive car, cause it could have defect and it is chance that it will lead to accident, so it’s better to ride horse

  • Gopu

    hm i should start using my nokia 1100 again