All mobile devices running Android version 2.1 to 4.3 contain a vulnerability – dubbed “Fake ID” – that enables the identity of trusted applications to be copied; consequently opening the doors to a whole list of malicious things, including, in some cases, taking control over the device.
The vulnerability ultimately “undermines the validity of the [Android] signature system and breaks the PKI fundamental operation,” Jeff Forristal, CTO of Bluebox security, wrote in a Tuesday post, adding he will be getting into the technical details at the upcoming Black Hat 2014 conference.
Taking advantage of the vulnerability enables all sorts of attacks, including stealing data from apps, affecting wireless near field communication (NFC) payments, and, in some cases, taking over control of the device, Forristal told SCMagazine.com in a Tuesday email correspondence.
“The vulnerability is present on [many] versions of Android, [but] the vectors of exploitation differ,” Forristal said. “The Adobe vector of exploitation affects all devices 2.1 - 4.3. The Google Wallet vector of exploitation is only subject to devices with NFC hardware using Google Wallet. One vector of exploitation [is] limited to devices including the 3LM extensions.”
Used for mobile device management, 3LM device extensions exist in HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices, Forristal wrote in the post. Imitating 3LM enables full management control of the device.
An attacker seeking to exploit the vulnerability would typically begin by creating a malware-laced application that is advertised as something enticing, such as a full version of a popular game, Google Services Framework update, or other security update.
“The attacker will [then] fabricate a set of identities for the application that includes, in the identity chain, the identities of other specially-privileged parties [such as] Adobe, Google Wallet team, and 3LM,” Forristal said.
The malware-laced app is then distributed in any number of ways – slipped into a public app store, sent as an email attachment or a link in a SMS message, or placed on a public website – for the user to download and install.
“The set of permissions normally shown to the user can be effectively kept minimal, so the malware doesn't even claim need of any suspicious permissions, [such as] ‘access SMS,'” Forristal said. “The OS acts upon the identities included in the applications signing chain; [it] starts to give the installed app the privilege, starts disseminating the viral portions of that malware into other apps, [and so on].”
The Google Android security team was informed of the vulnerability (Google bug 13678484) in April, produced a fix, and provided it to all Android partners via the Open Hand Set alliance, Forristal said. Some Android vendors have produced and distributed updates and others are in the process.
“Unfortunately, some devices simply may never be patched,” Forristal said. “This Android patching dynamic is not particular to this vulnerability; it's been a historical concern in the Android ecosystem for a while now.”
A webview component change prevents Android 4.4 from being affected, but for all other users, Forristal suggested only downloading apps from trusted sources to prevent being compromised.