Back in the day when a mobile phone’s only purpose was to make calls and send texts and no one even dreamt about using it to access the internet, user’s biggest fear was that their handset could get stolen or lost. Today such misfortunes are still very much real, but there are also other threats that could put the safety of your Android device at risk. Recently it came to our attention that Android has ‘Fake ID’ security flaw that could allow hackers to hijack your phone and tablet.
Over 82% of Android installs could be vulnerable…
The flaw was discovered by security company Bluebox Labs and was named “Fake ID” because of the way it supposedly allows apps to act as other apps to gain access to restricted features of the device. It appears that the problem is caused by inadequate certificate checks. In order to limit the amount of malware released to the market, all apps need to have identity certificates which prove that they are trustworthy. The Guardian calls them “child certificates.” “Parent certificates”, on the other hand, are handed down by the original software creator.
When you try to install a new app, both certificates are checked upon each other to see if they match. The app can be installed only when they do. This it theory but it turns out that in practice any app could contain a certificate that appears to be handed out by a trusted source when if fact it wasn’t. Bluebox Labs proved that it can be done using Adobe Systems certificates which grant apps the right to load HTML code, also malicious, in all other applications.
According to the company, Fake ID has been present in Android from version 2.1 to the latest 4.4 which means that over 82% of OS installs could be vulnerable. Google has already issued a patch to Android partners and to the Android Open Source Project but it will certainly take some time to reach your device.
It’s true that the threat is scary, but there’s no need to panic. Keep your eyes open, use all the safety measures you can and with any luck, your Android phone or tablet won’t become another number in the statistics.