Feeds

Android busted for carrying Fake ID: OS doesn't check who really made that 'Adobe' plugin

Versions 2.1 to 4.4 vulnerable to masquerading malware

Secure remote control for conventional and virtual desktops

Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity.

The flaw, dubbed Fake ID by its discoverers at Bluebox Security, affects all versions of Android from 2.1 (released in 2010) up to Android 4.4. Although Google issued a patch in April, it's feared millions of handhelds are still at risk as not all gadget manufacturers have pushed out the patch.

"A fix has been made for many of 4.x versions and those fixes have been sent to devices manufacturers," Jeff Forristal, chief technology officer of BlueBox, told The Register.

"At this point it's up to the discretion of device manufactures as when to apply that update. Google can't control an open ecosystem in the same way Apple can with its closed model."

The Fake ID problem is due to weakness in the way applications can be trusted by their certificate chain: a vendor like Adobe can digitally sign an app to prove, cryptographically, that it built the software and that it's legit.

Bluebox discovered that a miscreant can create his or her own identity certificate, falsely claim it has been signed by Adobe as trustworthy, and then use that identity certificate to sign a malicious piece of software. That malware, to Android, now looks like Adobe-trusted code and the OS allows it to run with special privileges, no questions asked.

This is entirely possible because the checking process is incomplete: it simply doesn't check up the chain to verify, in this case, that Adobe really did issue the cert.

For example, an attacker could exploit this bug to allow some malware to masquerade as an Adobe webview plugin. The system trusts Adobe webview plugins, such as Flash, and allows them to install and run. Programs that claim to be Adobe plugins have the power to insert code into apps, Bluebox explained. At that point, personal data can be siphoned off, or worse.

Punched in the wallet

Bluebox also says Google's own Wallet payment system is susceptible to the Fake ID attack. Malicious code can harvest credit card numbers, to put it bluntly.

"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users," a Google spokesman told El Reg in an emailed statement.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

That Google has issued a patch and is checking Play for applications is welcome, but that still leaves a sizable pool of handsets out there that are still vulnerable. Bluebox has built an application to test for the flaw and has a couple of ideas for those who still haven't got the patch.

"First off, steer clear of unauthorized application stores or markets offering cracked versions of code and only take apps from trusted sources," Forristal advised.

"In addition, if your phone is unpatched then you need to make a customer service enquiry to the phone manufacturer and your carrier and put pressure on for a network update. Keep pressure on both parties to motivate than to be part of the release cycle rather than being lackadaisical about it." ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.