A major security vulnerability leaves the vast majority of Android devices open to malicious attacks, researchers from security firm Bluebox found.
The bug, dubbed “Fake ID” by Bluebox, takes advantage of flawed methods of verifying apps present in older versions of Android, Ars Technica reports. In doing so, malicious apps can gain special permission usually reserved for other trusted apps.
In order to be installed, an app must be signed by a chain of digital certificates that verify the app is from a trusted and approved source. Verification processes typically check each certificate in the chain to ensure that it comes from the same source. However, Android does not do this.
Consequently, by including a certificate for a different app, a malicious program can pass itself off as a trusted service.
The major threat in this comes from the special access that Android gives to certain apps. For example, code from Adobe Flash is implemented into other apps, allowing them to use the Flash Player plug-in. If a malicious app were to use an Adobe certificate and gain access to other apps, it would allow, among other things, access to any data collected by those apps.
Android gives favored status to at least two other apps: 3LM, which, if impersonated by another app, would give the attacker broad ability to manipulate phone setting, take control of the device and even install new software, as well as Google Wallet, which would provide access to sensitive financial information such as credit card numbers.
According to PCWorld, abuses of the bug are particularly difficult to detect due to the fact that no user input is required to activate the special permissions.
“It is very, very easy for malware to use this attack — it is silent, transparent, with no notifications to users,” Jeff Forristal, chief technology officer of Bluebox said.
Currently, only Android versions prior to 4.4 are at risk; Google released a patch for the current version shortly after the bug was exposed. However, according to statistics gathered by Google itself, 82.1 percent of Android devices are still running a version earlier than 4.4 and are therefore still at risk.
Despite the large number of vulnerable users, Google insists that the bug has not actually been used to target anyone.
“At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability,” a Google spokesman said in a statement issued Tuesday.