Android: Fake-ID Security Problem Could Leave Millions Open to Attack
Millions of people using Android devices could be left open to attack from malicious apps that appear to come from legitimate developers, due to a flaw in Google’s mobile software. But Google says it has already issued a patch, and has seen ‘no evidence of attempted exploitation of this vulnerability’
The flaw has been named “Fake ID” by security company Bluebox Labs, which discovered it. However, Google says it has already issued a patch to protect Android users from attacks exploiting the flaw.
Fake ID has been resident in Android from version 2.1 to 4.4, although it was fixed in April as part of the latest update, Android KitKat. Millions of devices could still be at risk, though, as Google’s own figures show that 82.1% of Android users are running an older version.
In a blog post published today, Bluebox explained that the problem lies in how app security is checked on Android, with each app given its own cryptographic signature determining who can update it, and what privileges it has on a device.
Read more at TheGuardian.com