A flaw in the Android smartphone OS allows hackers to pose malicious software as trusted, certified programs raising security concerns for the Google product.
The blog post on Bluebox Security claims the vulnerability, called “Fake ID”, affects all Android users from January 2010 till now - specifically all Androids between 2.1 through 4.4 KitKat, the latest release. An estimated 1.4 billion new devices were shipped with the Android OS between 2012 and 2013.
Here’s the deal. Each Android app has a unique identity that usually is inherited from its developer’s identity like an ID card. It’s termed Fake ID, as it might suggest, because hackers can replicate this ID and further nefarious and fraudulent ends. The consequences could range from impersonating your browser and logging your passwords or it could impersonate your Google Wallet and extract your NFC financial and payment information.
Where's the fix, Google?
Basically, the vulnerability exists because Android does not authenticate the IDs. Similar to how one might try to flash a fake to a bouncer, Android doesn’t use some special UV light or look for special plastic what-have-you. It just lets everyone with a card through to the VIP section.
The fix has been disclosed and reported for patching in April 2014 though they have yet to arrive to Android users. This delay appears to be partially the reason that Bluebox went public with this vulnerability yesterday.
The Android security team had 90 days from the initial submission in April to distribute the patch. Yet when Bluebox recently tested and scanned some 40 Android devices and the Google Play store, only one vendor had the patch out.
Somewhat unsettlingly, Christopher Katsaros, a Google spokesman said, “At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”
READ MORE: Everything you need to know about Android L
[Source: Fast Company]