The Bluebox Labs Company experts have published information about security vulnerability on Android platform which allows hackers to get access into functions of gadgets and to personal information without user‘s knowledge.
However many users are in danger as vulnerability was corrected only in the last Android version, but in other versions it still exists.
After the Bluebox Labs Company found vulnerability, in English-speaking releases it was called "super vulnerability of new type", it is likely because of possibility to extend extremely malicious software.
BlueBox experts called vulnerability Fake ID, because it allows malware apps to pass fake credentials to Android, which fails to properly verify the app's cryptographic signature. Moreover, Android grants the rogue app all of the access permissions of whatever legitimate app the malware claims to be.
Jeff Forristal, CTO of Bluebox Security says that the problem is the certificates verification process. As an example Forristal desribed such situation: if the thief comes to guard and shows the false admission, the security passes him to the organization, without having phoned to service which writes out admissions.
Forristal declares that the biggest operating system problem is that Android doesn't check the affiliated digital signature which is connected with the parental digital signature, he simply trusts this information.
For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Thus the attacker is capable to introduce a malicious code in system, being covered with Flash plug-in.
Similar vulnerability was found in Android not for the first time. In July, 2014 Bluebox experts found a bug which allowed hackers to alter the adjusting APK file code and to turn any original application into trojan in OS. According to experts, such mistake is on 900 million gadgets.
It should be mentioned that experts from Hong Kong have developed bizarre malware that dictates contacts, emails and other sensitive text data in order to steal it.
