Millions could be at risk due to Android’s “fake ID” flaw

Bluebox Security, the same outfit that last year identified a worrisome (but thankfully patched) flaw in the Android app-packaging system, has done it again. On Tuesday, the company said it had found a new Android vulnerability that potentially allows the stealthy theft of information from millions of devices. Those with old Android handsets that no longer receive firmware updates are particularly at risk. However, as with the last time round, Android fans should check the details before freaking out – they’re probably not going to get hurt if they only install apps through the Play Store.

Millions of people using Android devices could be left open to attack from malicious apps that appear to come from legitimate developers, due to a flaw in Google’s mobile software. The flaw has been named “Fake ID” by security company Bluebox Labs, which discovered it. However, Google says it has already issued a patch to protect Android users from attacks exploiting the flaw. Fake ID has been resident in Android from version 2.1 to 4.4, although it was fixed in April as part of the latest update, Android KitKat. Millions of devices could still be at risk, though, as Google’s own figures show that82.1% of Android users are running an older version. In a blog post published today, Bluebox explained that the problem lies in how app security is checked on Android, with each app given its own cryptographic signature determining who can update it, and what privileges it has on a device. To get these signatures, apps are signed using “identity certificates”, which go along a chain of trusted parties, supposedly to guarantee the right people are in control of the software.