Bluebox Security has found a security loophole in Google’s Android operating system through which attackers are able to feign legitimate applications in the ecosystem in order to deceive users and take control of their mobile devices.
The Android ecosystem has a mechanism that is supposed to verify the identity of a certain app. This mechanism is important because it provides a good measure of authenticity for various online transactions. For example, it works to confirm that someone who is logged in to a bank account is the real owner of that account, not a hacker or third-party user.
For Android applications, a digital signature is assigned to each software system as a virtual identification tag. Therefore, every program on an Android mobile device bears an ID that has been created based off the app’s signature. But security researchers at Bluebox found that Android’s security infrastructure overlooks the verification process to determine whether an application comes indeed from the company or developer that claims to be.
Android versions that contain the flaw are those that start from 2.1 and higher. The version 4.4 known as KitKat also has this vulnerability, though the one that enables for the creation of a fake Adobe system has been patched.
This flaw lets hackers develop malware based on an app’s signature in order to seize control of your system. The case if fake IDs potentially affect all apps on Android. Earlier this month, we’ve reported that hundreds of thousands of fake apps have been spotted on the Google Play Store.
What is worrying about this vulnerability is when a hacker creates a fake app for mobile payment such as PayPal. The danger there is when you trust that the app is legit and you enter your payment details such as your credit card and PIN. Or worse yet, when a hackers try to feign an administrative software system, which would totally give them full access and control to your device by the time you fall for the trap.
The most remarkable aspect of the bug discovery is the level of collaboration required of both the developer community and the Android team at Google. The Android team rolled out fixes in April and phone makers were able to receive patches.
Google also confirmed that it has improved user protection measures from the claws of fake ID for Google Play and Verify Apps ecosystems. Thus far, following the fake ID flaw, Google found no other vulnerability nor did it receive reports of threats.