A new Android design error discovered by Bluebox Security allows malicious apps to grab extensive control over a user’s device without asking for any special permissions at installation. The problem affects virtually all Android phones sold since 2010.
Because Google does not verify the security certificate when an app is loaded, malware can claim to be any app, even trusted ones.
There’s also another complication. “The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces),” Bluebox noted.
“This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide to the user of the device.”
Only 18% of Android phones have upgraded to prevent the Adobe Flash flaw that can be exploited. And many Android phones can never be upgraded.
And the flaw also extends to a wide range of trusted apps. The malware can get all your financial information stored in Goggle Wallet.
The hack also extends to phones from Amazon. Not good when launching a new phone.
Google has known about this for over 3 months. So a major security flaw, that allows a downloaded app to grab access to your most sensitive data, has not been dealt with even as millions of people worldwide buy new phones.
Phones that may never be able to be fixed.
On the other hand, Fake ID requires no user involvement, and can be used by malware posing as an innocent app or game that requests no special permissions. Once installed, the app can take over without the user having any knowledge of being infected.
This is one reason the ‘walled garden’ of the iOS App store is safer. There may be flaws but they are easier to prevent, to fix and to send out solutions for.