One Android feature that never made its way to iOS may be the cause of one of the most worrying security exploits ever on the mobile platform. AppleInsider reports that Bluebox Security has found an Android design flaw that could potentially allow malware apps to take over someone’s device without requiring users to manually give the app permission to access their phones.
Dubbed ‘Fake ID,’ the flaw allows the malicious apps to send fake credentials to Android, granting the app the ability to take on the form of another legitimate app that would have more extensive access to the device.
Perhaps unsurprisingly, one of the trusted apps that ‘Fake ID’ can assume the identity of is Adobe Flash, an Android-specific feature that Steve Jobs refused to include in iOS for this very reason. Although Google ditched Flash for Android a few years ago, the software was so deeply ingrained in the platform that a residual flaw remained in the Android WebView until the release of Android 4.4 KitKat.
Unfortunately, only 18% of Android users have installed KitKat, which leaves 82% of the Android population vulnerable to ‘Fake ID’ through Flash. Of course, Flash isn’t the only victim — Google Wallet can be exploited as well, putting users’ financial data at risk.
According to Bluebox, “other devices and applications that depend upon the presence of specific signatures to authenticate an application may also be vulnerable. Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability.”