Printed from http://www.electronista.com

Long-standing Android 'Fake ID' bug gives malware root access

updated 09:10 am EDT, Tue July 29, 2014

App masquerading as Flash, others, can break Android sandboxing

Mobile device researchers Bluebox Security have discovered a serious flaw in Google's Android operating system that dates back to version 2.1, and is still present (albeit weakened) in the new 5.0 preview. The "Fake ID" security flaw allows a fake app to include an invalid security certificate, claiming that it is an app with sandbox-breaking privileges, in essence, giving the malicious app root access to the phone and all its contents.

"All it really takes is for an end user to choose to install this fake app, and it's pretty much game over," Bluebox Security CTO Jeff Forristal told Ars Technica. "The Trojan horse payload will immediately escape the sandbox and start doing whatever evil things it feels like, for instance, stealing personal data."

The flaw comes with how Android handles security certificates. Apps that are properly credentialed are "sandboxed," or run isolated from other parts of Android, preventing an app from wreaking havoc across the device. A few apps, such as Adobe Flash, Google Wallet, and other device-management apps have special privileges, which allows the app to function across the sandbox. Android looks at the security certificates, but does not verify that the certificate is being used with app that it "belongs" to.

Android 4.4 has introduced some changes, limiting some of the priveleges that Flash has but not necessarily other plugins, like device-management applications. Google claims that after it recieved notification of the flaw a few months ago, it "quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue."

Google also claims that it has scanned all applications submitted to Google Play for the issue, and has "seen no evidence of attempted exploitation of this vulnerability," but omits any mention of changing Android to eliminate the problem entirely, particularly in any older version. Electronista has reached out to Google, Samsung, and other companies to see if the patch has been distributed to end-users by any company -- Google itself is only responsible for patches to its own devices, and vendors and wireless carriers handle the rest. It is unknown if the exploit can penetrate Samsung's Knox enterprise security suite, which is at the core of Google's new security enhancements in Android L.

"With this vulnerability, malware has a way to abuse any one of these hardcoded identities that Android implicitly trusts," said Forristal. "So malware can use the fake Adobe ID and become a plugin to other apps." More details of the flaw will be disclosed at next week's Black Hat security exposition.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

ActvContent Sync Smartband

Smartbands of all sorts are hitting the market. Some build on the buzz around fitness trackers, while others offer simpler features fo ...

RocketStor 6324L Thunderbolt 2 eSATA bridge

Like it or not, the shift to Thunderbolt is underway. The connection is extremely flexible, allowing for video and data to co-habitate ...

Patriot Stellar Boost XT 64GB USB 3.0 drive

A vast selection of USB memory sticks means that consumers can often find exactly the size drive they need in a configuration that can ...

Sponsor

toggle

Most Commented

 
toggle

Popular News