For some time, Android has been criticized for their lax approach to third-party app security. Fake applications, or those that only claim to provide a service but actually do nothing, have been featured in the past as “top apps” recommended by Google Play.
Now, a much bigger issue has been uncovered. A new form of malware could be using those apps to gain access to your information.
BlueBox Labs was the first to discover the threat. According to them, this malware slips in through applications via unverified certificates. Google doesn’t check the authenticity of a certificate’s source. So when it claims to have a specific origin, it accepts that as fact and allows access.
Once there, a bit of malicious coding and it has its potential way in. A simple download, accepted by the unknowing user from a previously trusted app, and they the malware has full access. Because certificates authorize special access, they are now able to look at all of your data. That includes any connected financial info with Google Play.
This is not technically ‘new’. Originally found in 2010, Fake ID was believed to have been eradicated with updates and built in safeguards in later Android versions.
However, the original “sandbox” that filtered out malicious coding or sources has been bypassed, and the threat is rising once more.
Google says the second they learned of the threat, they issued a patch. But the BBC is reporting that most users with Android 2.1 to Android 4.3 have not been provided with either information, or access to that patch by manufacturers and network operators. So the threat is still out there, and very real.
Already, several popular apps have been used as a Trojan horse for the malware. These include Adobe Systems, such as their PDF reader for mobile, and (alarmingly) Google Wallet.
If you have one of the mentioned Android OS versions and have not yet been issued a patch, it is time to update. But keep an eye out for news of continued vulnerabilities, since this particular one is a resurgence.