Android's Fake ID Could Put Millions in Jeopardy
Jul 30, 2014 7:10 AM PT
An Android vulnerability that exists in every version from v2.1 Eclair to v. 4.3 Jelly Bean could expose millions of users, Bluebox Security has warned.
The flaw lets attackers fake the certificates of specially privileged parties, such as Adobe and Google Wallet, and serve them up with malware that bypasses detection by Android.
Attackers then can take over every application running on an Android device.
The flaw, which Bluebox calls -- what else? -- "Fake ID," also might impact Android forks under the Android Open Source Project, including Amazon's Fire OS.
Bluebox has notified Google, which has fixed the flaw.
"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP," Google spokesperson Christopher Katsaros told TechNewsWorld. "Google Play and Verify Apps have also been enhanced to protect users from this issue."
Why Fake ID Is So Dangerous
Android applications are cryptographically signed by a single identity through the use of a PKI identity certificate.
PKI certificates can have a parent/child relationship with other PKI certificates, where the first certificate serves as the parent, validating the other certificate.
In Android, the digital certificates used to sign apps become the app's package signature that is available to other apps through normal metadata APIs such as those in PackageManager, said Bluebox Security CTO Jeff Forristal.
An application's signature establishes who can update it and what applications can share its data, he told TechNewsWorld.
Certain signatures are given special privileges in certain cases. For example, an application bearing Adobe's digital certificate identity can act as a webview plugin for all other apps; or, an app with the signature of the Google Wallet app can be allowed access to near field communication hardware.
On some devices, applications with the signature of the device manufacturer or trusted third parties can access the vendor's mobile device management extensions to manage, configure and control the device.
Android's package installer does not verify the authenticity of a certificate chain.
How Hackers Can Use Fake ID
To use Fake ID, hackers fabricate a set of identities for a malware app that includes the identities of specially privileged parties in the identity chain -- then distribute the application in various ways, Forristal explained.
The set of permissions normally shown to the user "can effectively be kept minimal" when the malicious app is installed, and the malware does not need to ask for suspicious permissions such as "access SMS," he said.
Once the app is installed, "it's game over," Forristal said. "The OS acts upon the identities included in the applications signing chain, and starts to give the installed app privileges -- starts disseminating the viral portions of that malware into other apps."
A malware application can exploit multiple identities, thus using a combination of vectors, he said.
Enterprises Are Vulnerable
"Connecting mobile devices to sanctioned cloud-based business applications that contain business-critical and sensitive information is now becoming the norm," noted Ron Zalkind, chief technology officer at CloudLock.
"At CloudLock, we've identified close to 10 thousand of these apps that are directly connected to the enterprise," he told TechNewsWorld.
A vulnerability like Fake ID could give attackers access to corporate identities as well as corporate information, Zalkind warned.
"We have scanned all applications submitted to Google Play, as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability," Google's Katsaros said.
However, updates usually are held back by carriers and device makers for compatibility testing, and "the slowness of upgrades to the latest Android version exacerbates [the Fake ID threat]," CloudLock's Zalkind said.
Users should install patches as soon as they are available.
They can use Bluebox's security scanner to check their device.