The latest in a long string of smartphone issues is the so-called "Fake ID" flaw affecting Android devices. This attack exploits a vulnerability in the way an Android device checks the authenticity of an app.
The issue is kind of similar to controls around US credit cards. When you sign a credit card receipt or at a terminal, the clerk or cashier might check that signature against the one on the card. Even if the signatures match (and when does that happen??? I can barely duplicate my own signature! :-), that doesn't mean that you are the owner of the card nor does it let anyone know if the card is fake or stolen.
In a somewhat analogous way, apps are "signed". The flaw allows Android phones to accept unverified apps. This provides a potential opportunity to download fake or malicious apps.
This issue should be patched on your phone by now. But this is not the first time this kind of problem has emerged. And it won't be the last time! This can be a serious issue.
What can we do? Here are a few tips:
- Only download apps from known sources. Google Play Store is the "official" app repository.
- If possible, use apps from known companies/authors. This is not necessarily easy. You can look at download numbers and read reviews for some guidance.
- Update your phone software and install patches when available. Many manufacturers and carriers are working on patches for this issue.
- Practice good app "hygiene" - if you don't need it, delete it.
- Check app permissions (we'll talk more about this in a future post).
- Use anti-malware software.
LastPass also has some good info, and here are a few other resources.