The Inquirer-Home

Android 'supermalware' can impersonate any app

'Fake ID' will leave you needing a beer
Tue Jul 29 2014, 16:15
malware virus security

ANDROID DEVICES reportedly are susceptible to a new breed of "supermalware" stemming from a vulnerability in the operating system.

The "Fake ID" flaw uses fake cryptographic credentials to gain permission to access a device, with the device's security protocols not paying enough attention to the validity of the request, simply believing that the requestor is who it says it is.

Because the malware has not had to use brute force to gain access, the permissions it is able to get over the system are significantly greater than anything previously reported.

According to Bluebox, the company that first disclosed the flaw to Google three months ago, the malware could even be used to exploit data from enterprise apps such as Outlook and Salesforce.com.

The vulnerability in the Android code that allows "Fake ID" in was first noticed in the now dormant Adobe Flash integration, which had been present since 2010 and was only patched with the arrival of Android 4.4 Kitkat earlier this year. The flaw is so deeply embedded in Android that it can affect all forks of the Android Open Source Project including Amazon's Fire OS.

Side loaded apps are most at risk of being carriers of the malware, making uncertified Chinese devices particularly susceptible. The malware is capable or impersonating any application whether installed or not and can even overwrite NFC communications, putting Google Wallet transactions at risk.

Bluebox will be presenting its findings at a presentation by its CTO Jeff Foristal at next week's Blackhat security conference in Las Vegas. Google was first told about the problem in May and is believed to be working on a patch. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Microsoft's Windows 10 Preview has permission to watch your every move

Does Microsoft have the right to keylog users of its Windows 10 Technical Preview?