Android devices 'threatened by fake apps'

[email protected]

Twitter: @hannahkuchler

Google's Android operating system is making mobile devices vulnerable to cyber criminals seeking to access users' personal information, according to researchers who claim to have found a flaw in the software.

Hackers can create a fake identification code allowing them to pretend to be an existing app with a good reputation, researchers at Bluebox Security have warned - a ruse that enables them to move around a mobile device and tap into its data.

Bluebox Security said it informed Google of the problem in April, and the technology group has since provided all of its Android device partners with a fix. However, any device that has not been updated with the latest version of the Android operating system remains at risk.

Jeff Forristal, Bluebox's chief technology officer and lead researcher, said 99 per cent of Android devices were vulnerable, although he had found no evidence that a cyber criminal had taken advantage of the hole in the security system.

"It can be used to take over a specific app or an entire device, what is stored on that computer by the user," Mr Forristal explained. "So online banking is at risk, work email is at risk, it just comes down to what the device is used for."

The Financial Times was unable to independently verify the vulnerability but Google confirmed the problem.

"After receiving word of this vulnerability, we issued a patch that was distributed to Android partners, as well as to [open source patch] AOSP," said Google. "We have scanned all apps submitted to Google Play . . . and we have seen no evidence of attempted exploitation of this vulnerability."

Companies are becoming increasingly worried about cyber security after high profile attacks, such as the data breach at US retailer Target at the beginning of the year, and the discovery of a hole in the software used to secure two-thirds of the web, known as the Heartbleed bug.

Security researchers aim to identify vulnerabilities in internet-connected devices and share them with the companies responsible - allowing the companies to issue a fix before the flaw is publicly announced. Bluebox Security's Mr Forristal intends to explain how a hacker could manipulate the Android vulnerability at the Black Hat security conference at the start of August.

As people spend more time on mobile devices, cyber criminals have turned their attention to hacking them rather than personal computers, by creating fake apps that look similar to those users download from popular online app stores.

Mr Forristal said the problem Bluebox Security uncovered was significant as it could allow cyber criminals to pose as any app they liked. "This is not one bad thing pretending to be one thing and tricking the user, this is not a fake Capital One app, this is any app," he said.

© The Financial Times Limited 2014. All rights reserved.
FT and Financial Times are trademarks of the Financial Times Ltd.
Not to be redistributed, copied or modified in any way.
Euro2day.gr is solely responsible for providing this translation and the Financial Times Limited does not accept any liability for the accuracy or quality of the translation