Citing research from Bluebox Security on an Android security flaw researchers have dubbed “Fake ID,” Arstechnica is out with a report today detailing how the vulnerability exposes a long list of Android users to malware threats.

Best iPhone, iPad, & Apple TV game controllers

The majority of devices running Google’s Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned… The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID, because, like a fraudulent driver’s license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off-limits.

The report continues by claiming Google developers have made changes in Android 4.4 that limit the potential damage of the bug, but that the vulnerability still remains unpatched in all version of Android since version 2.1 in 2010.

Google issued the following statement to Ars regarding a fix for the bug, but it doesn’t provide much information on what was patched or if the update has been distributed to end users through its various partners yet:

We appreciate Bluebox responsibly reporting this vulnerability to us; third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

About the Author