A critical vulnerability affecting millions of Android devices could let a hacker take control of a smartphone or insert malicious code in another app, security researchers say.
Called Fake ID, the vulnerability was discovered by researchers at vendor Bluebox Security, which worked with Google on a patch released to device manufacturers and carriers in April.
Bluebox made the vulnerability public Tuesday in a blog post that said the flaw affects all versions of Android from 2.1 to 4.4, known as Kit Kat.
The vulnerability is in the way the mobile operating system handles certificate validation. The flaw even affects devices with the 3LM device administration extension, including those from HTC, Pantech, Sharp, Sony Ericsson and Motorola.
3LM provides enterprise security features, such as the ability to white list or black list applications in accessing corporate resources or to wipe all data from a device remotely.
Developers are identified in Android apps through the use of digital certificates. Bluebox discovered that the Android app installer fails to properly authenticate the identity certificate, which means an attacker can create an app with a fake identity to gain the same privileges granted to the developer of the legitimate app.
An Adobe plug-in and Google Wallet are examples of apps with lots of privileges that could be exploited.
In the case of an Adobe plug-in, the fake app could gain the privilege to insert malicious code in other apps to steal data. With Google Wallet, an attacker could gain access to the near-field communication (NFC) chip in the device.
The NFC chip is where an Android smartphone stores payment information that a store's electronic payment system will read in completing a purchase.
While a patch is available, whether Android users have had the opportunity to update their phones depends on how quickly their carrier pushes out the patch, a process that can take months, if it happens at all.
To compromise a smartphone, the attacker would have to find a way to have an app with a fake identity installed on the smartphone. This could be done through a malicious download link sent in a text message or if the person uses third-party app stores with poor security.
In general, the risk of downloading apps with known exploits is low for software bought through Google Play, the official Android store.
Once a malicious app containing Fake ID is on the phone, it can bypass the security measures Android typically has in place, which includes asking the user for approval before granting certain privileges to the app.
"Once it's installed -- done, boom, game over," Jeff Forristal, chief technology officer of Bluebox, said.