Security researchers at Bluebox Labs have uncovered a design flaw in Android that could allow malware to take over a device.
Dubbed "Fake ID" by Bluebox, the flaw is related to how app security is handled. In Android, each app is given its own unique cryptographic signature that determines who can update it and what privileges it has. As The Guardian explains, there are parent certificates and child certificates, both of which are checked against on another during installation to ensure they match and the app is trusted.
The problem is that Android doesn't carry out enough security checks so it doesn't know if the certificate was properly issued or if it was forged.
Bluebox CTO Jeff Forristal likened it to a tradesman arriving at a building. The worker presents an ID to a security guard and is allowed to enter as the ID appears legit. The security guard never validates the ID by calling his employer to make sure he works there.
Using the flaw, a malicious actor can have their malware validated by impersonating another app that has special privileges. Forristal cited Adobe Flash and Google Wallet as examples of apps that have high-level access within Android.
The flaw has existed in Android since version 2.1 was released way back in 2010. The good news is that it was removed from Google's mobile operating system last fall with Android 4.4 KitKat but as of earlier this month, less than 18 percent of all Android users are running the latest version. That means roughly 82 percent of all Android users are at risk.