A vulnerability has been detected in Google Android that can allow malware to be passed off as authorised applications which can control device settings and access user information including credit card data.
BlueBox Security reported the bug, which it has called 'Fake ID' to Google. Google has created a fix, although it not all handset manufacturers have pushed it to users yet.
Fake ID works because of incomplete checking of certification signatures related to Android apps. Android checks an app has the right ID before granting it special privileges, but it fails to double-check that the certification signature involved was properly issued and not forged.
This means that a hacker can create their own identity certificate, falsely claim it has been signed as trustworthy by a trusted third party, and then use that identity certificate to sign a malicious piece of software. Android will then accept that the malware is 'trusted', with no further attempts at verification, allowing the malware to access special privileges.
The vulnerability dates back to Android 2.1 released in
BlueBox says that the flaw could have particular seriousness because the certification system allows certain privileges to trusted certificates. An application bearing the signature (i.e. the digital certificate identity) of
Google has acknowledged the issue, and released a fix, although phone manufacturers still need to incorporate that fix into firmware updates and push it out to users.
Most Popular Stories
- Study: Recessions Can Postpone Motherhood Forever
- Tim Cook Has Proved That Apple is His Baby
- Hispanic Entrepreneurs Short-changed in Texas
- China Approves iPhone 6 After Security Assurances
- U.S. Home Prices Rose at Slowest Pace in 20 Months
- Meet the YouTube Tech Review Sensation
- Who Is Daniel Ivascyn?
- Hispanics Carry Big Clout: Census
- Netflix Eyes Hollywood With Feature Film
- PBS Series Examines America's Demographic Shift