Millions of people using Android devices could be left open to attack from malicious apps that appear to come from legitimate developers, due to a flaw in Google's mobile software.
The flaw has been named "Fake ID" by security company Bluebox Labs, which discovered it. However, Google says it has already issued a patch to protect Android users from attacks exploiting the flaw.
Fake ID has been resident in Android from version 2.1 to 4.4, although it was fixed in April as part of the latest update, Android KitKat. Millions of devices could still be at risk, though, as Google's own figures show that 82.1% of Android users are running an older version.
In a blog post published today, Bluebox explained that the problem lies in how app security is checked on Android, with each app given its own cryptographic signature determining who can update it, and what privileges it has on a device.
To get these signatures, apps are signed using “identity certificates”, which go along a chain of trusted parties, supposedly to guarantee the right people are in control of the software.
There are “parent certificates” and “child certificates”, which are checked against one another upon installation to ensure they match up and the app is trusted. The parent, usually handed down by the original software creator, effectively proves the child is worthy of being trusted, as part of what is known as the “certificate chain”.
This should act as a decent security mechanism, but Bluebox Labs claims that the whole signature system had been undermined, as Android did not carry out adequate checks on the certificate chain.
“In other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer),” explained the company.
The problem was more severe in cases where very specific signatures were given special privileges, said Bluebox. For instance, any app that contains a parent certificate from Adobe Systems is allowed to launch a webview plugin, which is used to load HTML code in apps, in all other applications.
So an attacker could create a new certificate that appeared to have been issued by Adobe and merge it with the child certificate of a malicious application. That bad app would then get all the permissions Adobe software would without the user being alerted.
To finish off the attack, the hacker could open a webview plugin in another app, which would let them run malicious code on the device and infect the Android phone with malware.
They could do the same using the signature of the Android Near Field Communications (NFC) file to gain the same privileges of a Google Wallet application. This could place people’s financial data in danger, said Bluebox.
“The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities,” Bluebox added.
A Google spokesperson said that after Bluebox’s disclosure, it quickly issued a patch that was distributed to Android partners and to the Android Open Source Project.
“Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” the spokesperson added.
• Forget lone hackers, mobile malware is serious business