Feeds

Android busted for carrying Fake ID: OS doesn't check who really made that 'Adobe' plugin

Versions 2.1 to 4.4 vulnerable to masquerading malware

Choosing a cloud hosting partner with confidence

Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity.

The flaw, dubbed Fake ID by its discoverers at Bluebox Security, affects all versions of Android from 2.1 (released in 2010) up to Android 4.4. Although Google issued a patch in April, it's feared millions of handhelds are still at risk as not all gadget manufacturers have pushed out the patch.

"A fix has been made for many of 4.x versions and those fixes have been sent to devices manufacturers," Jeff Forristal, chief technology officer of BlueBox, told The Register.

"At this point it's up to the discretion of device manufactures as when to apply that update. Google can't control an open ecosystem in the same way Apple can with its closed model."

The Fake ID problem is due to weakness in the way applications can be trusted by their certificate chain: a vendor like Adobe can digitally sign an app to prove, cryptographically, that it built the software and that it's legit.

Bluebox discovered that a miscreant can create his or her own identity certificate, falsely claim it has been signed by Adobe as trustworthy, and then use that identity certificate to sign a malicious piece of software. That malware, to Android, now looks like Adobe-trusted code and the OS allows it to run with special privileges, no questions asked.

This is entirely possible because the checking process is incomplete: it simply doesn't check up the chain to verify, in this case, that Adobe really did issue the cert.

For example, an attacker could exploit this bug to allow some malware to masquerade as an Adobe webview plugin. The system trusts Adobe webview plugins, such as Flash, and allows them to install and run. Programs that claim to be Adobe plugins have the power to insert code into apps, Bluebox explained. At that point, personal data can be siphoned off, or worse.

Punched in the wallet

Bluebox also says Google's own Wallet payment system is susceptible to the Fake ID attack. Malicious code can harvest credit card numbers, to put it bluntly.

"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users," a Google spokesman told El Reg in an emailed statement.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

That Google has issued a patch and is checking Play for applications is welcome, but that still leaves a sizable pool of handsets out there that are still vulnerable. Bluebox has built an application to test for the flaw and has a couple of ideas for those who still haven't got the patch.

"First off, steer clear of unauthorized application stores or markets offering cracked versions of code and only take apps from trusted sources," Forristal advised.

"In addition, if your phone is unpatched then you need to make a customer service enquiry to the phone manufacturer and your carrier and put pressure on for a network update. Keep pressure on both parties to motivate than to be part of the release cycle rather than being lackadaisical about it." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.