Android Has "Fake ID" Security Flaw
A hacker can now copy software signatures and hijack Android mobile devices, security experts reported.
Google's Android operating system has a security bug that will allow a "Fake ID" from hackers to commandeer phones or tablets, according to Bloomberg Businessweek. The breach is caused by Android not checking applications are other than what they says they are, Bluebox Security reported.
Bluebox stresses that most electronic devices view a verified identity as important, so why not verify an application's digital signature? Bluebox has identified those electronic signatures and said that Android doesn't check that it's authentic. This means that malware posing as software with a digital signature could likely hit a phone or tablet easily and a hacker could control the system remotely.
"We basically discovered a way to create fake ID cards,” Jeff Forristal, Bluebox chief tech officer, told Businessweek. "There are different vectors. They all come down to: I can create a fake ID card. The question is, which fake ID card do I create?"
The security bug affects Android systems 2.1 and higher, but the latest version, 4.4 or KitKat, has already fixed the problem.. "We appreciate Bluebox responsibly reporting this vulnerability to us third party research is one of the ways Android is made stronger for users," Christopher Katsaros, a Google spokesman, told Businessweek.
Bluebox said that it found the bug and reported it to Google in March and Android released a patch in April to vendors, but only one has released the patch.
"At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability," Katsaros said.
It's disturbing that Google hasn't moved faster on the security flaw, especially in such a competitive environment with the iOS. While reports of hacker access can cause some security fatigue -- who hasn't seen at least one malware alert a week? -- it's important for companies to offer secure and safe operating systems.