Android Fake ID bug exposes devices

by

A flaw in Android has been revealed that lets malware insert malicious code into other apps, gain access to user’s credit card information and take control of device settings.

The bug was revealed by the somewhat notorious BlueBox Labs team who said it was concerning as users didn’t need to grant the malware special permissions for it to act.

Google was informed about the bug before it was announced publicly and Google have now incorporated a fix that people running the latest version of Android should receive from Android partners soon, it has also being incorporated into the Android Open Source Project (AOSP) so many people who run custom ROMs should look out for an update soon.

BlueBox’s chief technology officer, Jeff Forristal says that the problem is that Android doesn’t confirm ID’s, comparing it to a tradesman arriving at a building, presenting his ID to the security guard and being given special access to its infrastructure without a phone call being made to the tradesman’s employer to check he is really on its books. “The fundamental problem is simply that Android doesn’t verify any claims regarding if one identity is related to another identity.”

BlueBox is releasing an Android app to see whether users devices are patched against the bug.

Source: BBC News

Paul Hill
Free and Open Source software advocate. I’ve been enthusiastic about new technology for over half a decade and now I’m just waiting for the technological singularity. Post-Snowden, I’ve developed a dislike for surveillance meaning I use FLOSS religiously over proprietary alternatives. Amateur Astronomy is also a hobby of mine!