Another day, another Android security scare so it seems. The latest comes by way of what researchers are calling the “Fake ID” exploit. The vulnerability — found in all Android devices since 2.1 — allows for malicious applications to bypass normal Android security by faking their secure IDs, giving them access to potentially sensitive data like user credentials, emails, payment history or anything else you’d like to keep away from prying eyes.
How is this possible? It’s simply because Android fails to verify the validity of an app’s cryptographic signature, something the OS uses when deciding which special privileges to grant an app (like access to NFC or act as a plugin) allowing it to bypass normal Android sandboxing. Apparently KitKat has helped curb some of what this exploit allows, but it’s still left somewhat vulnerable.
Upon hearing the news, Google was quick to respond to the issue and even though there hasn’t been any recorded incidences of the malicious apps actually attacking anyone’s devices, they thanked the folks at Bluebox Security for their findings. The good news? A patch has already been pushed to AOSP and sent to OEMs for them to apply as they deem fit. The bad news? There’s no telling how long something like that can take before it hits your T-Mobile G2X. Here’s the statement Google gave ArsTechnica:
“We appreciate Bluebox responsibly reporting this vulnerability to us; third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.”
In the meantime, you may want to exercise a little caution when downloading any “special” apps not found on the Google Play Store.
- Android 5.0.1 (LRX22C) hits AOSP
- Android 5.0 Lollipop hits AOSP
- Android M references appear
- KitKat-Wear hits AOSP
TAGS: Android 2.1, AOSP, Fake ID, Fake ID vulnerability, Froyo