Security CTO to detail Android Fake ID flaw at Black Hat

July 29, 2014 by Nancy Owano weblog
Android

Where have you heard this before: A team of security researchers discover a security flaw in Android devices. This is, however, news. This time, experts are talking about a flaw that involves a widespread vulnerability dating back to the release of Android 2.1.

Bluebox Labs claims that Fake ID has been present in Android from version 2.1, leaving a substantial number of devices running earlier versions of the operating system vulnerable. Reports say the flaw involves devices still running Android 2.1 to Android 4.3, with affected users potentially left open to attack from malicious apps that would appear to come from legitimate developers. The Android , dubbed Fake ID, can enable malware to impersonate trusted applications. The vulnerability was posted in a blog Tuesday by Bluebox Security CTO Jeff Forristal, based on research by the company's Bluebox Labs. They found identities can be copied. How much mischief can be done? He said, "the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM."

The team found that Fake ID is the result of how Android checks app security, with each app given a cryptographic signature determining who can update it, and what privileges it has. Bluebox said up until KitKat, Android did not carry out adequate checks on the certificate chain. Forrestal told the BBC, "That missing link of confirmation is really where this problem stems." Forristal said it was like a tradesman entering a building and showing his ID to a guard and being given special access without any phone call made to the tradesman's employer to check if the person is really on the books.."The fundamental problem," he added, "is simply that Android doesn't verify any claims regarding if one identity is related to another identity."

Gizmodo noted that a patch was issued by Google to Android partners and to the Android Open Source Project. The Guardian on Tuesday said Google has not seen evidence of attempted exploitation of this vulnerability. The Guardian quoted a Google spokesperson: "Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability." According to the BBC, a Google spokesperson also said, "We appreciate Bluebox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users."

Forristal will speak about this next week at the Black Hat Security event in Las Vegas. He said his talk will cover technical details, where he will review the bug, including how it was found, and how it works.

Explore further: Researchers ID 'smishing' vulnerability in Android

More information: www.blackhat.com/us-14/briefings.html#android-fakeid-vulnerability-walkthrough
bluebox.com/technical/android-fake-id-vulnerability

Related Stories

Researchers ID 'smishing' vulnerability in Android

November 5, 2012

(Phys.org)—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by Google, and will ...

Google removes Android malware used to secretly mine bitcoin

April 27, 2014

If you own an Android device, your phone might be mining bitcoin without you even knowing it. Five applications were recently removed from the Google Play store after they were discovered to be covertly using Android devices ...

Recommended for you

How to curb emissions? Put a price on carbon

September 3, 2015

Literally putting a price on carbon pollution and other greenhouse gasses is the best approach for nurturing the rapid growth of renewable energy and reducing emissions.

Customizing 3-D printing

September 3, 2015

The technology behind 3-D printing is growing more and more common, but the ability to create designs for it is not. Any but the simplest designs require expertise with computer-aided design (CAD) applications, and even for ...

Magnetic fields provide a new way to communicate wirelessly

September 1, 2015

Electrical engineers at the University of California, San Diego demonstrated a new wireless communication technique that works by sending magnetic signals through the human body. The new technology could offer a lower power ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.