Yet another critical vulnerability has been disclosed, this time affecting the majority of Android users.
The flaw in Android’s operating system allows malicious apps to take almost complete control of a user’s device and steal personal data without verifying permission during installation.
Researchers at Bluebox Labs have warned the vulnerability, dubbed “Fake ID,” affects all Android phones purchased since 2010 running versions 2.1 (“Eclair”) to 4.4 (“KitKat”). Although the latest software update released in April fixes the issue, Google Play estimates only 17.9% of users are running the latest version.
In a blog post published today, Bluebox CTO Jeff Forristal described some of the potential security implications exposed by the vulnerability:“The vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.”
However, after scanning the Google Play Store, Google reports it has not seen any evidence of attempted exploits.
To stay protected, Tripwire security researcher Craig Young suggests users assure the apps downloaded are official and avoid enabling apps from untrusted sources.
“Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps,” said Young.
Additional details of the “Fake ID” exploit will be released during Forristal’s presentation at the Black Hat USA Conference in Las Vegas next week.
Read More Here…