Android FakeID Flaw Could Leave Phones Wide Open

Android phones are vulnerable to a flaw that lets attackers insert malicious code, access credit card data and change settings, researchers revealed this week.  Google has rushed out a fix, but it is up to phone makers to push the patch out to users.

The so-called “Fake ID” flaw affects phones shipped since 2010, running any Android version from 2.1 to 4.4 “KitKat”, according to security firm Bluebox. Google issued an update in April which fixes it, but Blueox warns that it may not be implemented everywhere.

Who are you?

Google has taken this calmly. It says there’s no evidence of the flaw being exploited, and it has updated the official Google Play store to spot any that emerge in approved apps. Meanwhile, the update will filter through to current phones.

“We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users,” said a Google statement. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP [Android Open Source Project]. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”

The flaw comes because Android did not go far enough in validating applications. When an app is installed, Android checks the validity of its digital certificate – but certificates are issued by trusted sources, and Android doesn’t validate the chain all the way back to its source.

Since publishing its advisory earlier this week, Bluebox has noted that there are fixed versions of Android: “We have confirmed ‘fixed’ versions existing within the ranges of 4.1, 4.2, 4.3, and 4.4,” it says. Bluebox also offers a tool to check whether your phone is updated.

Try our Android quiz!