Googleâ€™s (GOOG)Â Android operating system has a security flaw that could allow hackers to impersonate trusted applications and potentially hijack your phone or tablet, according to research released today.
The basic issue is the way in which Android checksâ€”or rather, does not checkâ€”that certain applications are what they say they are, according to Bluebox Security, the company that identified the vulnerability. Hence the catchy name, â€œFake ID.â€
Verifying identity is one of the most fundamental issues online. Is someone logging into a bank account the owner of that account? Is an application what it claims to be? San Francisco-based Bluebox helps companies secure their data on mobile devices, and its staff members work toÂ research and understand the architecture of theÂ mobile operating systems that Bluebox builds onto, says Jeff Forristal, chief technology officer.
EachÂ Android application has its own digital signatureâ€”an ID card, in essence. Adobe Systems (ADBE), for example, has a specific signature on Android, and all programs from Adobe have an ID thatâ€™s based on that signature. Bluebox discoveredÂ that when an application flashes an Adobe ID, for example, Android does not check back with Adobe that itâ€™s an authentic one. That means that a malicious actor could create malware based on Adobeâ€™s signature and infect your system. TheÂ problem isnâ€™t specific to Adobe;Â a hacker could create a malicious application that impersonates Google Wallet and then access paymentÂ and financial data. The same issue applies to administrative software present on some devices, allowing full control of the entire system.
â€œWe basically discovered a way to create fake ID cards,â€ says Forristal. â€œThere are different vectors. They all come down to: I can create a fake ID card. The question is, which fake ID card do I create?â€
The flaw affects Android systems from 2.1 (released in January 2010) on up, though the latest version, 4.4 or KitKat, has closed the hole as it relates to Adobe, according to Bluebox. To give an idea of scale: From 2012 to 2013, about 1.4 billion new devices shipped with the Android operating system, according to Gartner.Â Gartner (IT) estimatesÂ that 1.17 billion additional Android devices will ship this year.
â€œWe appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users,â€ said Christopher Katsaros, a Google spokesman.
The revelation of this particular vulnerability illustrates how security researchers and Google handle the discovery of flaws in software or programs. It alsoÂ shows the complexity of handling a vulnerability affecting Android because fixes require adjustments from not only Google but also from various app developers and device makers.
Bluebox concluded its research in late March and submitted the bug to Google by March 31, according to Forristal. The Android security team developed a fix in April and provided the patch to vendors, who had 90 days to implement it before Bluebox publicized its findings, he says. Bluebox has tested about 40 Android-based devices out of more than 6,300 in the market. So far Bluebox knows of only one vendor that has put a patch out,Â he adds.
Google Play and Verify Apps have been enhanced to protect users from the Fake ID issue, said Katsaros, the Google spokesman.
â€œAt this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,â€ Katsaros said.
Bluebox plans to discuss its findings at the Black Hat convention in Las Vegas next week. Expect a lot more troubling security news before then. Black Hat tends to bring it out.
(Update: Includes comment from Google spokesman.)