Having this fake ID is nothing to brag about, even if you are a minor. The “Fake ID” Android flaw lets cybercriminals hide malicious code in your smartphone apps. It can swipe your credit card information and even take over your device.
Bluebox Security uncovered the malware in Google’s mobile operating system. According to the firm, the Fake ID vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification.
"This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014," Jeff Forristal, chief technology officer at Bluebox, wrote in a blog post.
This opens the door to a number of potential fallouts, including inserting a Trojan horse into an application by impersonating Adobe Systems. It could also gain access to NFC financial and payment by impersonating Google Wallet, according to Bluebox.
“The problem is further compounded by the fact that multiple signers can sign an Android application -- as long as each signer signs all the same application pieces,” Forristal said. “This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide[d] to the user of the device.”
The Best and Worst of Android
We caught up with Craig Young, security researcher for Tripwire, to get his take on the flaw. He told us the Android Fake ID attack is a malicious application that can present spoofed digital IDs without the mobile operating system noticing.
“The result is that an application requesting no special permissions at all could access sensitive parts of the phone's internals by masquerading as authorized programs such as Google Wallet, which has access to financial data or Adobe's Flash plugin, which has the ability to inject code into other processes,” Young said.
As Young sees it, the Android Fake ID vulnerability highlights some of the best and worst aspects of the Android security system. On one hand, he said, Android's open nature attracts third-party security review from white hat firms such as BlueBox, whereas proprietary systems sometimes discourage security research and even take measures to hinder it. On the other hand, he continued, Android's fragmented ecosystem means that many devices will forever be affected by this vulnerability due to short device support windows and phone carriers that are slow to issue patches for the flaw.
All Is Not Lost
“All is not lost for owners of unsupported devices however as long as they stick to applications obtained from the Google Play store and do not enable apps from untrusted sources,” Young said. “Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps.”
If this attack has been used in the wild, Young said it was likely limited to specific targeted attacks and not with apps distributed through Google Play.
“Upon confirming reports of the Fake ID vulnerability, Google scanned their store as well as some other sources for exploits and came up empty handed,” Young concluded. “Now that the cat is out of the bag however I would expect to see apps with fake IDs showing up in third party markets or drive-by download attacks."