A flaw in Google’s Android system may allow hackers to re-create trusted applications and load them with malware, posing numerous security risks.
Tech security firm Bluebox Security flagged Android’s “Fake ID” flaw today in a blog post:
Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.
The problem Bluebox discovered is that Android fails to check the validity of certain applications, making it easy for hackers to access the application’s digital identity certificate and, essentially, forge it.
The “Fake ID” vulnerability affects Android systems 2.1 to 4.4. Read more about it here.