In response to the news that security researchers have discovered an Android flaw that lets malware insert malicious code into other apps, gain access to the user's credit card data and take control of the device's settings, Craig Young, security researcher at Tripwire says:
“BlueBox researchers have found and responsibly disclosed another critical Android vulnerability. Dubbed the Android “FakeID” attack, a malicious application is able to present spoofed digital IDs without the OS noticing. The result is that an application requesting no special permissions at all could access sensitive parts of the phone’s internals by masquerading as authorized programs such as Google Wallet which has access to financial data or Adobe's Flash plugin which has the ability to inject code into other processes.
The Android FakeID vulnerability highlights some of the best and worst aspects of the Android security system. On one hand, Android’s open nature attracts 3rd party security review from white hat firms such as BlueBox whereas proprietary systems sometimes discourage security research and even take measures to hinder it. On the other hand, Android’s fragmented ecosystem means that many devices will forever be affected by this vulnerability due to short device support windows and slow phone carriers. All is not lost for owners of unsupported devices however as long as they stick to applications obtained from the Google Play store and do not enable apps from untrusted sources. Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps.
If this attack has been used in the wild, it was likely limited to specific targeted attacks and not with apps distributed through Google Play. Upon confirming reports of the FakeID vulnerability, Google scanned their store as well as some other sources for exploits and came up empty handed. Now that the cat is out of the bag however I would expect to see apps with fake IDs showing up in third party markets or drive-by download attacks.”