Skip to main content

Google says it delivered patch for Android’s “Fake ID” security flaw to partners

Android-security-bug-Fake-ID

Citing research from Bluebox Security on an Android security flaw researchers have dubbed “Fake ID,” Arstechnica is out with a report today detailing how the vulnerability exposes a long list of Android users to malware threats.

The majority of devices running Google’s Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned… The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID, because, like a fraudulent driver’s license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off-limits.

The report continues by claiming Google developers have made changes in Android 4.4 that limit the potential damage of the bug, but that the vulnerability still remains unpatched in all version of Android since version 2.1 in 2010.

Google issued the following statement to Ars regarding a fix for the bug, but it doesn’t provide much information on what was patched or if the update has been distributed to end users through its various partners yet:

We appreciate Bluebox responsibly reporting this vulnerability to us; third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Jordan Kahn Jordan Kahn

Jordan writes about all things Apple as Senior Editor of 9to5Mac, & contributes to 9to5Google, 9to5Toys, & Electrek.co. He also co-authors 9to5Mac’s weekly Logic Pros series and makes music as one half of Toronto-based Makamachine.