Bluebox Security, the same outfit that last year identified a worrisome (but thankfully patched) flaw in the Android app-packaging system, has done it again. On Tuesday, the company said it had found a new Android vulnerability that potentially allows the stealthy theft of information from millions of devices.
Those with old Android handsets that no longer receive firmware updates are particularly at risk. However, as with the last time round, Android fans should check the details before freaking out – they’re probably not going to get hurt if they only install apps through the Play Store.
The “Fake ID” vulnerability lies in the way Android processes the digital signature identities attached to apps from a handful of vendors. The operating system is configured to automatically accept Adobe apps, for example, and those from certain other vendors including device management outfit 3LM. What’s more, apps with those vendors’ signatures can automatically plug into other apps and pieces of the device’s hardware, in ways that other apps can’t.
Unfortunately, according to Bluebox, since Android 2.1 (which came out at the start of 2010) the Android package installer has not properly checked that identity certificates claiming to come from one of these vendors really do come from them.
As the company explained:
“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains… both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.”
Similarly, the impersonation of 3LM’s signature can allow malware to take control of many device functions, and that of the Google Wallet identity can give access to NFC financial and payment data, Bluebox said.
Bluebox notified Google of this vulnerability back in April, and Google has distributed a patch to its Open Handset Alliance partners. According to Bluebox CTO Jeff Forristal, Motorola has already released patches for some of its devices.
However, as is always the case with Android, different vendors move at different speeds. And, given that this goes all the way back to Android 2.1, there will be many devices out there that are no longer receiving firmware updates, and that will therefore remain vulnerable.
On the plus side, Bluebox hasn’t seen any evidence out there of the vulnerability being exploited. There are also a couple of other limitations to the flaw’s impact:
- Android “KitKat” 4.4 devices aren’t vulnerable to Adobe System webview plugin privilege escalation, because of an under-the-hood switch from Webkit to Chromium.
- 3LM impersonation, which is probably the most worrying due to the range of device management functions involved, only applies to devices with 3LM device extensions, coming from vendors including HTC, Pantech, Sharp, Sony Ericsson (RIP) and Motorola.
“Worse than Master Key”
Forristal claimed that the impact would be worse than that of the “Master Key” vulnerability highlighted by Bluebox in 2013.
“The Master Key vulnerability did allow pretty severe impact on the device, but it was a bit clunky and hard for malware to use in a stealthy fashion,” he said. “The new one is very aligned to how malware would operate, which is why we expect a year down the road that Fake ID will affect way more people than Master Key ever did.”
As always, the advice here is to only install apps from trusted sources and be wary of social engineering ploys that try to get you to install apps from emails and so on. According to Ars Technica, Google says its Play and Verify apps have been updated to protect users from the issue.
Bluebox also has a scanner app that is being updated with features relating to Fake ID.