It is always a bad day when you find out there is a problem. Even if it is as simple as your coffee pot not working (ok bad choice for many). Things are made worse when you find out it is a problem that just cannot easily be fixed or worked around. This is the case in a new Android based vulnerability that was discovered by Blue Box Security (the same guys that found the Master Key issue) a few months ago.
The flaw has been dubbed “Fake ID” and exists in all versions of Google’s Android since 2010 (4.4 is not susceptible). Fake ID is pretty much exactly what the name implies: a malicious individual can craft a false id for an application and push it through as if it were something else. Once the malware is on the system it has access to a large number of functions including NFC data, Google Wallet, Contacts and even simply taking over the phone.
According to the information released by Blue Box Security:
“This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014. All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do. Android 4.4 is specifically immune due to a change in the webview component (the switch from webkit to Chromium moved away from the vulnerable Adobe-centric plugin code).
Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware. The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well.
Other devices and applications that depend upon the presence of specific signatures to authenticate an application may also be vulnerable. Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability. “
So far not every manufacturer has pushed out the patch. According to the information we have only Motorola has pushed this patch out to carriers for OTA update. This leaves a lot of phones vulnerable to this bug. To compound the issue it seems that the ID (security certificates) are not being properly validated by the Android Package installer. This is the equivalent of a bouncer at a bar only asking if you have ID, but not actually checking to make sure it is real.
Because of this lack of verification any application can have a fake ID made for it that allows it to act like another app. This Fake ID can allow for some very deep access to system level functions. Blue Box uses the following as an example:
“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications”
But wait there is more, an attacker can further exploit the system by allowing multiple signatures on a single application that contains multiple identities. Once the super-spy malware gets in and breaks out of the sandbox (because of this flaw) the game is over for the device. This flaw is present in the Android Base Code (AOSP) so it is a very fundamental flaw in the system. Perhaps Google needs to hire a new crew of bouncers, with the current set they have left the front door open to a lot of people.
As we mentioned earlier Google has pushed out a patch for this and it is in the hands of the manufacturers. The down side of this is that manufacturers can take a long time to verify that a patch will not break their shovelware, many will also hold onto patches until they have a few in hand to reduce releases. Once the manufacturers are done it goes to the carriers who run the whole process all over again before setting up and scheduling a release for OTA update…
For now we would recommend that you avoid installing apps until you know you are patched. Even those running Android 4.4 might want to take things slow until they see an update that covers this. Blue Box Security will be talking about this bug during Black Hat 2014 and we hope to bring you more information then.
Tell us what you think in our Forum
The full release can be found on the next page -