While everyone the world over is celebrating over the aggressively authoritative spot that mobile penetration has taken along with the various platforms under its umbrella, cyber thieves and criminals are literally diving and seizing the opportunity to unleash their OS-based scams.
Due to the majority in the mobile platform,
Google’s Android operating system has for a while been a target for cybercriminals, the recently exposed weaknesses in the way the operating system handles certificate validation leaving millions of Android devices open to attack.
By Phinias Shonayi
The vulnerable flaw, dubbed “Fake ID”, affects all versions of Android operating system from 2.1 (released in 2010) up to Android 4.4, also known as KitKat.
Critical, is the word to use regarding this vulnerability as it could allow a fake and malicious app to masquerade as a legitimate and trusted application, enabling an attacker to perform various actions such as inserting malicious code into a legitimate app, infiltrating your personal information or even taking complete control of an affected device. Devices running the 3LM administration extension are at risk for a complete compromise specifically, which includes devices like HTC, Pantech, Sharp, Sony Ericsson, and Motorola.
Bluebox CTO Jeff Forristal says, “Every Android application has its own unique identity, typically inherited from the corporate developer’s identity.” The bug, however, will copy the identities and use them “for nefarious purposes.”
Researchers named the flaw “Fake ID” because it allows malicious applications to pass fake credentials to Android OS, which fails to properly verify the application’s cryptographic signature. Instead, the operating system grants all the access permissions to the rogue application that it grants to the legitimate app.
Actually, in order to establish the identity of the app developer, Android applications are signed using digital certificates. But due to the claimed Fake ID vulnerability, the Android app installer doesn’t try to authenticate the certificate chain of a given app, which means an attacker can built an app with a fake identity and impersonate it with extensive privileges such as an Adobe plug-in or Google Wallet.
For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate.
Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.
Google already released a patch to its partners in April. However, it still leaves millions of handsets out there that are still vulnerable, as it’s up to the carriers themselves to push the updates to users.
The vulnerability resides in the Android operating system therefore the new update would be available for the users in the coming period, may be today, a month after or could take a year.
Effectively addressing a vulnerability requires a three step process:
• Google produces a generic code fix, which it provides to the Android phone manufacturers
• Phone manufacturers must then incorporate that fix into a firmware update suitable to specific phones, which they provide to carriers.
• The carrier then distributes the final update, which ensures your phone is safe from the vulnerability. As regards Fake ID, Google has provided the generic code fix to the phone manufacturers.
Bluebox Security has also built a Scanner to test for the vulnerability and has a couple of ideas for those who still haven’t got the patch.