Feeds

Android busted for carrying Fake ID: OS doesn't check who really made that 'Adobe' plugin

Versions 2.1 to 4.4 vulnerable to masquerading malware

Intelligent flash storage arrays

Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity.

The flaw, dubbed Fake ID by its discoverers at Bluebox Security, affects all versions of Android from 2.1 (released in 2010) up to Android 4.4. Although Google issued a patch in April, it's feared millions of handhelds are still at risk as not all gadget manufacturers have pushed out the patch.

"A fix has been made for many of 4.x versions and those fixes have been sent to devices manufacturers," Jeff Forristal, chief technology officer of BlueBox, told The Register.

"At this point it's up to the discretion of device manufactures as when to apply that update. Google can't control an open ecosystem in the same way Apple can with its closed model."

The Fake ID problem is due to weakness in the way applications can be trusted by their certificate chain: a vendor like Adobe can digitally sign an app to prove, cryptographically, that it built the software and that it's legit.

Bluebox discovered that a miscreant can create his or her own identity certificate, falsely claim it has been signed by Adobe as trustworthy, and then use that identity certificate to sign a malicious piece of software. That malware, to Android, now looks like Adobe-trusted code and the OS allows it to run with special privileges, no questions asked.

This is entirely possible because the checking process is incomplete: it simply doesn't check up the chain to verify, in this case, that Adobe really did issue the cert.

For example, an attacker could exploit this bug to allow some malware to masquerade as an Adobe webview plugin. The system trusts Adobe webview plugins, such as Flash, and allows them to install and run. Programs that claim to be Adobe plugins have the power to insert code into apps, Bluebox explained. At that point, personal data can be siphoned off, or worse.

Punched in the wallet

Bluebox also says Google's own Wallet payment system is susceptible to the Fake ID attack. Malicious code can harvest credit card numbers, to put it bluntly.

"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users," a Google spokesman told El Reg in an emailed statement.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

That Google has issued a patch and is checking Play for applications is welcome, but that still leaves a sizable pool of handsets out there that are still vulnerable. Bluebox has built an application to test for the flaw and has a couple of ideas for those who still haven't got the patch.

"First off, steer clear of unauthorized application stores or markets offering cracked versions of code and only take apps from trusted sources," Forristal advised.

"In addition, if your phone is unpatched then you need to make a customer service enquiry to the phone manufacturer and your carrier and put pressure on for a network update. Keep pressure on both parties to motivate than to be part of the release cycle rather than being lackadaisical about it." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.