HOME     MENU     SEARCH     NEWSLETTER    
NEWS & INFORMATION FOR TECHNOLOGY PURCHASERS. UPDATED 9 MINUTES AGO.
You are here: Home / Mobile Tech / Android 'Fake ID' Puts Millions at Risk
Neustar, Inc.
Protect your website & network using real-time information & analysis
www.neustar.biz
Android 'Fake ID' Puts Millions of Users at Risk
Android 'Fake ID' Puts Millions of Users at Risk
By Jennifer LeClaire / NewsFactor Network Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
JULY
29
2014


Having this fake ID is nothing to brag about, even if you are a minor. The “Fake ID” Android flaw lets cybercriminals hide malicious code in your smartphone apps. It can swipe your credit card information and even take over your device.

Bluebox Security uncovered the malware in Google’s mobile operating system. According to the firm, the Fake ID vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification.

"This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014," Jeff Forristal, chief technology officer at Bluebox, wrote in a blog post.

This opens the door to a number of potential fallouts, including inserting a Trojan horse into an application by impersonating Adobe Systems. It could also gain access to NFC financial and payment data by impersonating Google Wallet, according to Bluebox.

“The problem is further compounded by the fact that multiple signers can sign an Android application -- as long as each signer signs all the same application pieces,” Forristal said. “This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide[d] to the user of the device.”

The Best and Worst of Android

We caught up with Craig Young, security researcher for Tripwire, to get his take on the flaw. He told us the Android Fake ID attack is a malicious application that can present spoofed digital IDs without the mobile operating system noticing.

“The result is that an application requesting no special permissions at all could access sensitive parts of the phone's internals by masquerading as authorized programs such as Google Wallet, which has access to financial data or Adobe's Flash plugin, which has the ability to inject code into other processes,” Young said.

As Young sees it, the Android Fake ID vulnerability highlights some of the best and worst aspects of the Android security system. On one hand, he said, Android's open nature attracts third-party security review from white hat firms such as BlueBox, whereas proprietary systems sometimes discourage security research and even take measures to hinder it. On the other hand, he continued, Android's fragmented ecosystem means that many devices will forever be affected by this vulnerability due to short device support windows and phone carriers that are slow to issue patches for the flaw.

All Is Not Lost

“All is not lost for owners of unsupported devices however as long as they stick to applications obtained from the Google Play store and do not enable apps from untrusted sources,” Young said. “Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps.”

If this attack has been used in the wild, Young said it was likely limited to specific targeted attacks and not with apps distributed through Google Play.

“Upon confirming reports of the Fake ID vulnerability, Google scanned their store as well as some other sources for exploits and came up empty handed,” Young concluded. “Now that the cat is out of the bag however I would expect to see apps with fake IDs showing up in third party markets or drive-by download attacks."

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
TOP STORIES NOW
MAY INTEREST YOU
Forrester study shows 187% ROI with Druva Endpoint Backup: In a commissioned study conducted by Forrester Consulting on behalf of Druva, Forrester found that the costs and benefits for a composite organization with 3,000 inSync users, based on customer interviews, are: 1) 187% return on investment, and 2) Total cost savings and benefits of $3.8 million. Click here to access the study now.
MORE IN MOBILE TECH
Product Information and Resources for Technology You Can Use To Boost Your Business

NETWORK SECURITY SPOTLIGHT
The FBI is pointing the finger of blame for the Sony Pictures cyberattack directly at North Korea. The hackers stole confidential data and caused the movie giant to can its new comic film, "The Interview."

ENTERPRISE HARDWARE SPOTLIGHT
Almost half of consumer, industry and life sciences manufacturers are expected to be using 3D printers within three years and now 3D printing services are aiming to help companies experiment.

© Copyright 2014 NewsFactor Network, Inc. All rights reserved. Member of Accuserve Ad Network.