It’s been awhile since we’ve heard of any major security exploits in Android, but it looks like another pretty massive security vulnerability has been uncovered by Bluebox Security. The latest exploit takes advantage of Android’s failure to check the authenticity of digital certificates, allowing some apps to gain access to the OS and resources that they otherwise should not have access to.

Typically, Android checks an app for a digital certificate when it is installed on a device, and without a valid digital certificate, the app won’t have access to anything on the device. With this “Fake ID” vulnerability, an app can show forged digital certificate and bypass the check because Android does not check the authenticity of the source of the certificate. In extreme examples, this means an app can use Google Wallet’s digital certificate to access the pieces of a device that handle payment information, for example.

According to Bluebox, this security problem has persisted since Android 2.1, so it’s a very, very old exploit. It’s still present in Android 4.4 and the Android L Developer Preview, although there are some new security measures that limit the damage that can be caused. These new minor fixes don’t solve the issue altogether, however.

Google released a statement thanking Bluebox for their work in finding Android’s security holes, and they claim that they’ve updated Google Play Services and the Play Store to check for any apps that use the Fake ID exploit. So far, there are no apps that have attempted the exploit, but until devices get updated to the latest version of Android in AOSP (and OEMs push out updates to their customers) there’s still going to be the possibility of an app taking advantage of the hole.

As always, the best advice for staying malware free is to be extremely careful of what you install and where you install it from. Typically, apps on the Play Store are safe with just a few exceptions, but reading reviews and paying close attention to app permissions can go a long way towards staying safe on your mobile device.

source: Ars Technica

View the original article here

This post was made using the Auto Blogging Software from This line will not appear when posts are made after activating the software to full version.