Millions of people are vulnerable to malware attacks on their Android devices that could potentially access sensitive information such as banking data, according to a report published this morning by mobile security research firm Bluebox Labs, which has named this threat “Fake ID.”
Every Android app has its own identity certificate, which is passed down from the developer who created it. However, Bluebox Labs has discovered a bug in the Android operating system that allows rogue developers to copy these identities and gain undue privileges for their malware apps.
Bluebox says this can result in a variety of consequences, including “insert[ing] a Trojan horse into an application by impersonating Adobe Systems; gain[ing] access to NFC financial and payment data by impersonating Google Wallet; or tak[ing] full management control of the entire device by impersonating 3LM.”
Using the Fake ID vulnerability, hackers can create an app that impersonates multiple identities at once, meaning users could be hit with all of the attacks listed above, and more, after downloading a single malicious app.
Google has patched the issue in the latest version of Android, 4.4 KitKat, but 82.1% of users are currently running an older version according to Google, leaving them at risk from Fake ID.
Consumers should remain vigilant when downloading apps, and check to make sure apps come from trusted developers. Brand owners need to be aware that their brand may be exploited by hackers. Logos and brand names are often used to attract downloads for malicious apps, which may be laden with malware that exploits Fake ID or other vulnerabilities yet to be discovered.
Read the full report from Bluebox Labs here.