Security researchers are warning of a major new Android vulnerability which could allow malware to impersonate trusted apps.
The FakeID flaw affects all versions of Android from 2.1 to 4.4. Although bug 13678484 was patched in April 2014, researchers at BlueBox Security warned that many manufacturers may not yet have pushed the fix out.
Each Android app is cryptographically signed via a PKI identity certificate and works in a similar way to HTTPS/SSL systems.
“As part of the PKI standard, an identity certificate can have a relationship with another identity certificate: a parent certificate (‘issuer’) can be used to verify the child certificate,” said Bluebox in a blog post.
“On an Android system, the digital certificate(s) used to sign an Android application become the application’s literal package ‘signature’, which is accessible to other applications via normal application meta-data APIs (such as those in PackageManager).”
Acording to the firm, an app signature plays an important role in the system in that it “establishes who can update the application, what applications can share its data, etc.”
“Certain permissions, used to gate access to functionality, are only usable by applications that have the same signature as the permission creator. More interestingly, very specific signatures are given special privileges in certain cases,” Bluebox added.
This use of digital signatures is “wholly appropriate” as long as the system “supports the notion of PKI digital certificate identities”. However, the vulnerability found by Bluebox effectively breaks the PKI fundamental operation.
“The Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer),” it said.
This enables malware to masquerade as a legitimate app, and even to inject Trojan code into other apps, taking them over completely and stealing user data.
The problem is compounded because multiple signers can sign an Android app, meaning an attacker could create one piece of malware carrying multiple fake identities.
Craig Young, security researcher at Tripwire, said the FakeID bug highlights the best and worst of Android security.
“On one hand, Android’s open nature attracts 3rd party security review from white hat firms such as BlueBox whereas proprietary systems sometimes discourage security research and even take measures to hinder it,” he argued.
“On the other hand, Android’s fragmented ecosystem means that many devices will forever be affected by this vulnerability due to short device support windows and slow phone carriers.”
Users sticking to the official Google Play store should be safe, especially if they install a mobile AV tool for an extra layer of protection, he said.
“If this attack has been used in the wild, it was likely limited to specific targeted attacks and not with apps distributed through Google Play,” Young continued.
“Now that the cat is out of the bag however I would expect to see apps with fake IDs showing up in third party markets or drive-by download attacks.”