Home / / Bug in Android could allow access to personal data

Bug in Android could allow access to personal data

Fake ID vulnerability allows hackers to pass off malware as trusted apps

Bug in Android could allow access to personal data
Fake ID allows hackers to pass off malware as trusted apps.

A vulnerability has been detected in Google Android that can allow malware to be passed off as authorised applications which can control device settings and access user information including credit card data.

BlueBox Security reported the bug, which it has called ‘Fake ID' to Google. Google has created a fix, although it not all handset manufacturers have pushed it to users yet.

Fake ID works because of incomplete checking of certification signatures related to Android apps. Android checks an app has the right ID before granting it special privileges, but it fails to double-check that the certification signature involved was properly issued and not forged.

This means that a hacker can create their own identity certificate, falsely claim it has been signed as trustworthy by a trusted third party, and then use that identity certificate to sign a malicious piece of software. Android will then accept that the malware is ‘trusted', with no further attempts at verification, allowing the malware to access special privileges.

The vulnerability dates back to Android 2.1 released in January 2010.

BlueBox says that the flaw could have particular seriousness because the certification system allows certain privileges to trusted certificates. An application bearing the signature (i.e. the digital certificate identity) of Adobe Systems is allowed to act as a webview plugin of all other applications, presumably to support the Adobe Flash plugin. In another example, the application with the signature specified by the device's nfc_access.xml file (usually the signature of the Google Wallet application) is allowed to access the NFC SE hardware.

Google has acknowledged the issue, and released a fix, although phone manufacturers still need to incorporate that fix into firmware updates and push it out to users.

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.