A new vulnerability in Google's Android operating system has been discovered by cyber security researchers

Fake ID puts data of Android users at risk

Sensitive financial and personal information of Android smartphone users could have been accessed by hackers since 2010 due to a previously unknown vulnerability.

Described by cyber security firm Bluebox Security, the vulnerability allowed attackers to use malicious software to mimic other, legal apps, thus gaining access to data stored in smartphones without having to request the user’s consent.

The vulnerability, dubbed by Bluebox Security Fake ID, has been present in the Android operating system since its 2.1 version released in 2010.

Bluebox Security’s chief technology officer Jeff Forristal said the vulnerability could have allowed attackers to extract financial and payment data by, for example, impersonating Google Wallet, an app which utilises mobile payments, leaving thousands of user accounts at risk.

Google said it was alerted to the problem and has already issued a security patch.

"We appreciate Bluebox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users," said a Google spokesman.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project."

The technology giant also said that they had scanned their app store and found no apps that are currently exploiting the vulnerability.

Craig Young, security researcher at online firm Tripwire said that as long as users stick to official apps from the Google Play Store, they are unlikely to be in too much danger.

"All is not lost for owners of unsupported devices as long as they stick to applications obtained from the Google Play store and do not enable apps from untrusted sources," he said.

"Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps.”

Adding to the smartphone security concerns is also a survey of behaviour of smartphone users, compiled by mobile phone comparison site TigerMobiles.com, which revealed that not only do users not install security software, most of them don’t even have measures in place to protect unauthorised access to the information stored in their gadgets in the case of theft.

The study revealed only one in three people in the UK use a pin, pattern, voice or fingerprint code to lock their screen. As part of the survey, TigerMobiles.com asked 5,000 individuals who had purchased new smartphones in the past 12 months to explain the motives behind their behaviour. 55 per cent of the respondents cited the added hassle of inputting a pin as the reason they're not using one.

"I'm not really surprised by the low numbers, the vast majority of smartphone users don't see the need for any security but this is extremely short sighted considering the kind of information people store on their mobile phone," said Brandon Ackroyd, Head of Customer Insight and Mobile Phone Expert at Tiger Mobiles

"The world is going mobile and so are criminals. The smartphone you carry around with you all day long is now a prime target for both high level cyber-criminals and opportunistic street thieves who want to gain access to your personal information."

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them