A bug in millions of Android devices has been discovered that allows attackers to imitate existing applications, control settings and access the user’s credit card details.
Bluebox, which identified the bug, explained that all versions of Android from 2.1 to 4.4 were affected, including models from HTC, Sharp, Sony Ericsson and Motorola. Researchers called for particular caution for devices running a 3LM management package which are more likely to surrender complete access to the malicious code.
Bluebox suggested that the vulnerability was directly linked to the way Android has dealt with its certificate validation. Android apps are signed using a digital certification that establishes the identity of the developer; however the flaw occurs as although Android verifies the ID, it fails to authenticate that the digital signature has not been forged – hence why the bug has been named Fake ID.
According to the researchers, this means that attackers are able to impersonate trusted applications, such as Google Wallet, and run malicious code inside them to access personal data, in this case payment information.
“It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware,” said Jeff Forristal, CTO at Bluebox, who is expected to discuss the bug in more detail in a presentation in Las Vegas next week.
Following the disclosure by Bluebox, a Google spokesperson has confirmed that it quickly created a patch which was delivered to Android partners and to the Android Open Source Project.
“Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” added the spokesperson.