Feeds

Android busted for carrying Fake ID: OS doesn't check who really made that 'Adobe' plugin

Versions 2.1 to 4.4 vulnerable to masquerading malware

Protecting against web application threats using SSL

Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity.

The flaw, dubbed Fake ID by its discoverers at Bluebox Security, affects all versions of Android from 2.1 (released in 2010) up to Android 4.4. Although Google issued a patch in April, it's feared millions of handhelds are still at risk as not all gadget manufacturers have pushed out the patch.

"A fix has been made for many of 4.x versions and those fixes have been sent to devices manufacturers," Jeff Forristal, chief technology officer of BlueBox, told The Register.

"At this point it's up to the discretion of device manufactures as when to apply that update. Google can't control an open ecosystem in the same way Apple can with its closed model."

The Fake ID problem is due to weakness in the way applications can be trusted by their certificate chain: a vendor like Adobe can digitally sign an app to prove, cryptographically, that it built the software and that it's legit.

Bluebox discovered that a miscreant can create his or her own identity certificate, falsely claim it has been signed by Adobe as trustworthy, and then use that identity certificate to sign a malicious piece of software. That malware, to Android, now looks like Adobe-trusted code and the OS allows it to run with special privileges, no questions asked.

This is entirely possible because the checking process is incomplete: it simply doesn't check up the chain to verify, in this case, that Adobe really did issue the cert.

For example, an attacker could exploit this bug to allow some malware to masquerade as an Adobe webview plugin. The system trusts Adobe webview plugins, such as Flash, and allows them to install and run. Programs that claim to be Adobe plugins have the power to insert code into apps, Bluebox explained. At that point, personal data can be siphoned off, or worse.

Punched in the wallet

Bluebox also says Google's own Wallet payment system is susceptible to the Fake ID attack. Malicious code can harvest credit card numbers, to put it bluntly.

"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users," a Google spokesman told El Reg in an emailed statement.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

That Google has issued a patch and is checking Play for applications is welcome, but that still leaves a sizable pool of handsets out there that are still vulnerable. Bluebox has built an application to test for the flaw and has a couple of ideas for those who still haven't got the patch.

"First off, steer clear of unauthorized application stores or markets offering cracked versions of code and only take apps from trusted sources," Forristal advised.

"In addition, if your phone is unpatched then you need to make a customer service enquiry to the phone manufacturer and your carrier and put pressure on for a network update. Keep pressure on both parties to motivate than to be part of the release cycle rather than being lackadaisical about it." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.