We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Bluebox Labs
Security Flaw

Android Fake ID vulnerability could put millions of users at risk

A new vulnerability found in older versions of Android could allow malware to bypass security and take control of your phone and apps as well as access your data.

AN ANDROID FLAW which allows malware to insert malicious code into other apps and gain control of a device’s settings has been discovered.

The flaw, which was discovered by security company Bluebox Labs, is called ‘Fake ID’ could puts millions of users who are using older versions of Android at risk.

In a blog post detailing the flaw, it shows that every Android application has its own unique identity. The vulnerability is found in what’s called a ‘certificate chain,’ which allows devices to verify the identities of apps first for use before they’re opened or grant permission to access certain data.

The flaw undermines this process since it makes “no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim.”

By opening an app that exploits this, it could create a knock-on effect which would see other apps and services being affected.

A patch for the flaw, which was labelled ‘Google bug 13678484′, was issued by Google as part of its latest update to KitKat (4.4) in April. However, that version only accounts for 17.9% of all Android versions, the rest (82.1%) are running older versions of Android on their devices.

Android developer dashboard The percentage of users who use each version of Android. The Fake ID flaw affects those using Android version 2.1 to 4.4. Android Developers Android Developers

If you’re worried about whether you have the latest version of Android installed, simply go into settings, scroll down to ‘about device’ and select ‘check update’.

If you’re using an older version, you will be notified and prompted to install the update although some devices don’t have the latest update yet due to their manufacturer not releasing one yet so double check just in case.

Bluebox Labs also released an Android app of their own which checks whether your device has been patched.

Read: Apple’s iPhone 6 faces a big pricing problem around the world >

Read: Samsung postpones Tizen smartphone launch so it can improve its new OS >

Your Voice
Readers Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.