Bluebox security is warning Android users of a critical flaw in the operating system that lets Malware impersonate trusted applications. Apps have their own ID, that’s normally put in by the developer. This prevents the the wrong people from making changes to the app like changing the programming.
Bluebox says a flaw they are calling Fake ID lets malware pretend to be certain trusted apps without an user notifications. This flaw could be used to impersonate and app like Google Wallet and gain information to your bank records or to insert some type of Trojan horse into an app. They could possibly even take control of the entire device.
The scary part is that they say this issue has existed since January 2010 and affects all devices prior to Android 4.4 KitKat. Any device not patched for Google bug 13678484 is affected. Bluebox outlined how the malware could use infect a program like Adobe System webview, elevate the privileges of that app and then inject code into other apps. The malware could be able to all of that app’s data and be able to do anything that app is able to do.
Android applications use digital certificate signatures to verify permissions, but this new flaw undermine the validity of the entire signature system. The signature can claim to be issued by anyone and it will trick certificate-checking code into believing it is genuine.
A hacker could create a single piece of malware that carries multiple fake IDs and goes after several applications at once.
Many device makers have already issued patches for this problem and more are on the way. Google says they’ve seen no evidence that anyone has taken advantage of this issue. Bluebox is offering up the Bluebox Security Scanner for free at the Google Play Store. It will scan your device and check for the problem.