Android Fake ID bug exposes smartphones and tablets

An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user's credit card data and take control of the device's settings.

BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.

The company added it had alerted Google to the problem in advance to allow it to mend its operating system.

Google confirmed it had created a fix.

BlueBox has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs - known as certification signatures - used to verify that certain apps are what they appear to be.

The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.

Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman's employer to check he is really on its books.

Source: BBC News Technology