Android Fake ID bug allows malware to impersonate trusted apps
Researchers at BlueBox security, who identified the vulnerability, dubbed the flaw as Fake ID, which affects all versions of Android operating system from 2.1 (released in 2010) up to Android 4.4, also known as KitKat.
Researchers marked the vulnerability as critical because it could allow a fake and malicious app to masquerade as a legitimate and trusted application, enabling an attacker to perform various actions such as inserting malicious code into a legitimate app, infiltrating your personal information or even take complete control of an affected device. Specifically, devices running the 3LM administration extension are at risk for a complete compromise, which includes devices from HTC to Pantech, Sharp, Sony Ericsson, and Motorola.
"Every Android application has its own unique identity, typically inherited from the corporate developer's identity," Bluebox CTO Jeff Forristal wrote in a blog post published Wednesday. The bug, however, will copy the identifies and use them "for nefarious purposes."
Researchers named the flaw "Fake ID" because it allows malicious applications to pass fake credentials to Android OS, which fails to properly verify the application's cryptographic signature. Instead, the operating system grants all the access permissions to the rogue application that it grants to the legitimate app.
Actually, in order to establish the identity of the app developer, Android applications are signed using digital certificates. But due to the claimed Fake ID vulnerability, the Android app installer doesn’t try to authenticate the certificate chain of a given app, which means an attacker can built an app with a fake identity and impersonate it with extensive privileges such as an Adobe plug-in or Google Wallet.
In the case of Adobe, the malware app would look like Adobe-trusted code and have the ability to escape the sandbox and run malicious code inside another app, the researchers said.
“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate,” the Bluebox researchers said in a post explaining their discovery.
“Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.”
Researchers also pointed out one more target of an attacker exploiting the Fake ID vulnerability i.e. Google's own Wallet payment system. A malicious app with signature of Google Wallet would allow an attacker to access the NFC (Near Field Communications) chip in the device.
[adsense size='1']
The NFC chip in the device is responsible for the storage of payment information used in NFC payments via Google Wallet. This NFC is used in various electronic payment applications and a malicious code can harvest credit card numbers as well.
According to Jeff Forristal, the attackers have more ways to exploit Fake ID vulnerability, a bug that he will discuss in a presentation at Black Hat in Las Vegas next week.
Google already released a patch to its partners in April. However, it still leaves a millions of handsets out there that are still vulnerable, as it’s up to the carriers themselves to push the updates to users.
The vulnerability resides in the Android operating system therefore the new update would be available for the users in the coming period, may be today, a month after or could take a year.
As the researchers say, Effectively addressing a vulnerability requires a three step process:
- Google produces a generic code fix, which it provides to the Android phone manufacturers
- Then phone manufacturers must then incorporate that fix into a firmware update suitable to specific phones, which they provide to carriers
- The carrier then distributes the final update, which ensures your phone is safe from the vulnerability As regards Fake ID, Google has provided the generic code fix to the phone manufacturers.
Bluebox Security has also built a Scanner to test for the vulnerability and has a couple of ideas for those who still haven't got the patch.
Gloss