This article is a guest post and the author’s views are completely his or her own. It may or may not reflect trendblog’s point of view.
It was bound to happen sooner or later. According to researchers from the security firm Bluebox, a recently discovered security vulnerability renders a large majority of Android devices unsecured and open to malicious attacks.
Introducing the “Fake ID” Flaw
The bug, now called “Fake ID,” apparently uses a flaw in app verification procedures to gain permission for functions that would otherwise only be available to trusted applications. The flaw is easily taken advantage of in older versions of the Android OS.
Before an app can actually be installed on an Android powered device, it must be signed by a digital certificate that signifies the content is from a trusted and approved source. This prevents malicious parties from gaining access to various devices.
Most verification processes are designed to work in a chain, checking each certificate assigned to an app — of which there are usually multiple — to ensure everything comes from the same safe and secure source. That’s not how the Android platform works, however, and that’s exactly how parties can take advantage. All they have to do is include certificates for a different app and malicious programs can skate by appearing as a trusted service.
The actual design flaw is related to Adobe Flash, which Google stopped using in newer versions of the platform. A privilege plugin or certificate related to Flash can gain access to the device through the browser. Malicious parties may include the certificate in third-party apps, allowing them to appear as Adobe Flash to the system, which means they gain permission to access sensitive data.
Worse yet, when a trusted certificate is used, the app generally does not require user input to gain access to data, content or hardware. In other words, the special permissions are almost always granted without question — provided the certificates seem in order — and the apps are free to do as they wish. In this case, hackers can gain access to everything that Adobe Flash would be able to.
Jeff Forristal, chief technology officer at Bluebox, says “it is very, very easy for malware to use this attack — it is silent, transparent, with no notifications to users.”
If you own a newer device running Android 4.4 or above then you are safe. Google actually patched the vulnerability not long after it was discovered. That said, devices running older versions of Android are still at risk. Believe it or not, stats from Google show that nearly 82% of all Android devices on the market are running an OS version earlier than 4.4, which means there are a lot of people at risk.
What Can You Do?
If a device is running an older version of the OS, nothing can be done since consumers have to wait for their mobile carriers and device manufacturers to release software updates for their device(s) — the process takes a long time and does not happen often. Furthermore, unlike a lot of other platforms, there are no surefire methods for detecting hackers through Android. With traditional computers and secure networks it’s possible to detect threats before they are able to cause any harm. Android does not yet have such measures in place.
However, Google says that no one has tried to use the vulnerability. Perhaps a more accurate description is that there’s no evidence such a thing has happened yet — the key word there being “yet.”
A Google spokesman released this statement about the vulnerability:
“At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.”
Bluebox actually notified Google about the design flaw more than three months ago, but consumers are just now hearing about the problem. Only time will tell whether or not someone is able to gain access to sensitive data through the vulnerability and wreak havoc, if it does — don’t let it happen to you.