A new Android vulnerability has been discovered. The bug, called Fake ID, allows attackers to steal data and essentially take over a phone.
The security hole, which allows malware to impersonate apps, is said to have the capability to steal sensitive information such as credit card numbers. Fake ID also allows hackers to take control of a device through changes in its settings.
The vulnerability, which was discovered by researchers from Bluebox Labs, is more effective than most bugs because the malware does not need the permission of users to take control of a device.
"The vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM," Jeff Forristal, Bluebox's Chief Technology Officer, said in a blog post.
Fake ID works by exploiting Android's method of handling identity certificates, which verifies that an app is what it appears to be. Identity certificates are issued through certificate authorities such as Verisign. This means that a web browser would trust any certificate issued by Verisign. According to Bluebox, the security hole allows hackers to create their own identity certificates then forge a claim it was issued through a certificate authority. After that, attackers can sign an application with the malicious identity certificate and the forged certificate authority claim.
The vulnerability affects all Android phones. Forristal said that Fake ID dates back to the launch of Android 2.1 in January 2010 and can be used on all Android devices that do not have the patch for Google bug 13678484. Google was alerted to the bug and released a patch last April. However, all devices that are running on anything older than Android 4.4 Kitkat are still vulnerable to malicious apps that insert Trojan horse code into other apps. This could lead to malicious apps accessing data and executing actions on other apps.
Google has already sent out a generic code fix for Fake ID. Currently, phone manufacturers and carriers are working on a firmware update that will be sent out to users.