Android mascots are lined up in the demonstration area at the Google I/O Developers Conference in the Moscone Center in San Francisco.
A massive security flaw with the Android operating system has been discovered, potentially affecting millions of users REUTERS/Beck Diefenbach

A new Android vulnerability dubbed 'Fake ID' has been discovered that allows malicious apps to gain control over a user's device and access sensitive information, including credit card and contact data.

The bug, discovered by mobile security firm Bluebox, dates back to January 2010 when Android 2.1 was released and affects every single device not patched for Google bug 13678484, which was disclosed to Google and released for patching in April 2010. This includes all devices prior to Android 4.4 (KitKat).

"Every Android application has its own unique identity, typically inherited from the corporate developer's identity," Jeff Forristal, chief technology officer at Bluebox, said in a blogpost detailing the flaw.

Android fake id malware
Malicious apps could copy identities from users' Android devices without a patch

"The Bluebox Security research team, Bluebox Labs, recently discovered a new vulnerability in Android, which allows these identities to be copied and used for nefarious purposes.

"In other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim."

Google has confirmed that it created a fix for the problem after being contacted by Bluebox.

"We appreciate Blubox responsibly reporting this vulnerability to us," a spokesperson for the company said. "Third-party research is one of the ways Android is made stronger for users.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project."

Devices running versions of the operating system from Android 2.1 to Android 4.3 remain vulnerable to the bug until they receive the fix from relevant carriers and manufacturers.

Google's own figures suggest that over 80% of all Android users are running versions of the mobile software that are still at risk.

It is understood by Google that all apps currently available through its official Google Play store are safe from the vulnerability, however any apps downloaded outside Google Play are potentially unsafe.

"At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability," the spokesperson added.

Security experts have warned that Android's fragmented ecosystem means that it is particularly susceptible to such attacks.

"The Android Fake ID vulnerability highlights some of the best and worst aspects of the Android security system," said Craig Young, a researcher at security firm Tripwire.

"On one hand, Android's open nature attracts third party security review from white hat firms such as Bluebox. On the other hand, many devices will be forever affected by this vulnerability due to short device support windows and slow phone carriers."