A new vulnerability dubbed Fake ID, which lets third party apps downloaded by the user to copy identity credentials of trusted applications, has been discovered by security researchers over at Bluebox security.
The existence of the vulnerability was informed to the Google security team as early as April who also developed a patch. Google has started distributing the patch to its partners, while few vendors have developed a patch of their own and the others are still processing it. However, Bluebox CTO Jeff Forristal said that some devices may never get a patch.
Hackers can create a fake app which looks credible on the surface with identities from Adobe, Google Wallet, 3LM, etc which are widely recognized and gain access to the information in these apps on the device, once downloaded. The app may be advertised as accessing limited information, but it could be doing malicious things in the background without the knowledge of the users.
Android OS may grant permission to these apps as they impersonate a legal app. Although the vulnerability is commonly present in the versions up to 4.3, it affects users in different ways, for instance, Google Wallet can be compromised only on devices which support NFC hardware while the Adobe application can be used to compromise all devices.
Because of rampant vulnerabilities in Flash, Apple has shut its doors for Adobe Flash on iOS devices from the very beginning. While other versions of the OS are vulnerable, Android 4.4 had a changed webview component which has made it resistant to such attacks.
As only 18 percent of devices run Android 4.4 KitKat, the rest of the 82 percent of the devices are prone to attacks.
