Something else to worry about for the Android-paranoid community: A company named Bluebox Security discovered a design error in Android that allows malicious apps to conduct a hostile takeover of an Android device without so much as a "pretty please" at installation.
The exposure period is substantial, potentially affecting most Android phones from 2010 through the present day.
The flawed code, called "Fake ID" by Bluebox, grants malware apps permission to gain access to Android through fake credentials, aided by the operating system's failure to verify the app's security credentials.
Google, a trusting company, granted many "trusted" apps a wide range of permissions to compute amuck within the Android architecture. The design flaw lets malware apps enjoy these rights and privileges by bypassing special permissions required at installation. These bad-boy apps can easily take full control of the device and help themselves to private financial data, contacts, and perhaps most alarmingly, data stored in the cloud.
Bluebox claims that the vulnerability is present in Android 2.1 through all Android releases except Android 4.4 KitKat. Apparently, KitKat is specifically immune to damage due to a move away from more vulnerable Adobe-centric plugin code.
It seems that Adobe Flash is especially vulnerable to exploitation, so Apple wins that battle -- it cited Flash's susceptibility to malware when the company refused to allow Flash into iOS.
Bluebox informed Google of its findings over three months ago, and Google issued a patch in April 2014. The problem is making owners aware of both the flaw and the fix. The slow pace of distribution of the patch points out the ongoing problem with an OS that has so many stewards -- all of the mobile device makers that use it -- all releasing patches inconsistently, not in a coordinated way.
Unfortunately, device makers using even customized versions of Android, like Amazon does in its new Fire Phone, are also open to exploitation of the original flaw.
Scarily, malware can exploit the flaw to pose as Google Wallet and gain easy access to sensitive financial data and passwords. Even worse, since Google Wallet does not use Adobe Flash code that has already been patched, Google Wallet and other apps are still at risk in KitKat 4.4.4 and even in the forthcoming Android L release.
Bluebox CTO Jeff Forristal wrote in a blog, "The vulnerability allows malicious applications to impersonate specially recognized trusted applications without user notification. The vulnerability can be used by malware to escape the normal application sandbox and insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM."
Forristal encouraged users to install the Bluebox Security Scanner app to determine if an Android device contains the Fake ID vulnerability.