- Malware can impersonate other apps in order to gain access to secure areas of your phone
- Vulnerability dates back to the January 2010 release of Android 2.1
- Malware could also gain access to Google Wallet to steal financial information
- Google has issued patch for the bug
A new flaw in Google’s Android mobile operating system leaves the personal and financial details of users open to hackers, a mobile analytics firm has claimed.
Called Fake ID and discovered by security firm Bluebox Security, the malicious software, or malware, can impersonate other apps in order to gain access to secure areas of your phone and sensitive data that it holds, without the user becoming aware.
Experts say the flaw has been present since 2010.
Android is the operating system developed by technology giant Google.
In a blog post on the Bluebox website, chief technology officer Jeff Forristal, said: ‘The vulnerability allows malicious applications to impersonate specially recognised trusted applications without any user notification.
‘This is a widespread vulnerability dating back to the January 2010 release of Android 2.1.
Mr Forristal also suggested the malware could gain access to ‘financial and payment data by impersonating Google Wallet’, an app which utilises mobile payments, leaving thousands of user accounts at risk.
However, Google has moved to calm any fears by confirming they have been alerted to the problem and issued a fix to protect users.
‘We appreciate Bluebox responsibly reporting this vulnerability to us.
Third-party research is one of the ways Android is made stronger for users,’ said a Google spokesman. ‘After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project.’
The technology giant also said that they had scanned their app store and found no apps that are currently exploiting the vulnerability.
Craig Young, security researcher at online firm Tripwire said that as long as users stick to official apps from the Google Play Store, they are unlikely to be in too much danger.
‘All is not lost for owners of unsupported devices as long as they stick to applications obtained from the Google Play store and do not enable apps from untrusted sources,’ he said.
‘Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps.
This was a view echoed by Jonathan French from web security company AppRiver, who suggested that the bug might not have even been known to hackers.
‘Probably not many people will already be affected by the flaw.
Security flaws do go unnoticed by companies but that usually means they go unnoticed by hackers as well.
It’s very possible that this vulnerability was already being used in the wild but my guess would be even if it was, the impact would be pretty low.
‘It seems Google is aware of the flaw now and monitoring for any apps that attempt to use this vulnerability. ‘So if you get your apps from the Play Store, you should hopefully be ok.
A YEAR OF SECURITY SCARES
The news of this flaw is the latest in a wave of recent vulnerabilities that have been reported online.
The Heartbleed bug that affected the SSL certificate used to encrypt user information on the web was discovered earlier this year.
It led to a host of major websites having to issue patches to protect users, and UK parents’ forum Mumsnet announced they were hacked as a result of the flaw.
E-commerce giant eBay was another high profile victim of hacking earlier this year, when millions of user passwords and other data was compromised after a flaw was discovered in its security .
‘If you get apps from elsewhere, it should go without saying that you are potentially putting your device at great risk.
Bluebox has confirmed that it will be releasing it’s own app that will scan a device to check whether it is at risk to the vulnerability.
According to a 2013 survey, more than 60% of the world’s smartphone users have an Android device.
HOW IT WORKS
Called Fake ID, the malicious software, or malware, can impersonate other apps in order to gain access to secure areas of Android phones and tablets.
It can then extract sensitive data that it holds, without the user becoming aware.
The vulnerability dates back to the January 2010 release of Android 2.1
The malware could also gain access to Google Wallet, an app which utilises mobile payments, leaving thousands of user accounts at risk.
However, Google has moved to calm any fears by confirming they have been alerted to the problem and issued a fix to protect users. .