Fake ID Android flaw allows apps to be impersonated

News by Steve Gold

A new and potentially serious flaw has been discovered in all Android devices, from version 2.1 upwards. The flaw, dubbed `Fake ID' by BlueBox Labs, allows malware to impersonate trusted applications.

According to Jeff Forristal, the research firm's CTO, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions - "either insert a Trojan horse into an application by impersonating Adobe Systems; gaining access to NFC financial and payment data by impersonating Google Wallet; or taking full management control of the entire device by impersonating 3LM."

The flaw stems from the way that Android checks security, with each app given a cryptographic signature determining who can update it, what privileges it has, and so on.

Forrestal told the BBC that the missing link of confirmation is really where this problem stems, saying that it was like a tradesman entering a building and showing his ID to a security guard and being given special access without any phone call made to the tradesman's employer to check if the person is really on the books.

"The fundamental problem," he told the BBC, "is simply that Android doesn't verify any claims regarding if one identity is related to another identity."

Plans call for BlueBox Labs to reveal their findings at next week's BlackHat USA event in Las Vegas.

Commenting on the flaw, Nigel Stanley, cyber security practice director for OpenSky UK said that he has always been concerned about the sometimes blind faith we have in PKI certificate chains, and this vulnerability demonstrates that - unless properly implemented - digital certificates can provide a false sense of security.

"Despite educating users to take basic security measures with their devices, by, for example, making sure they use a PIN or password and to only use legitimate apps from approved app stores this demonstrates the fact that issues still remain," he said, adding that he hopes the carriers manage to get a fix out before the bad guys exploit the vulnerability.

Jay Christiansen, a consultant with Context Information Security, said that, normally the rationale for granting total access to a legitimate app has been in the interest of enhanced security or additional admin functionality.

He explained that this is common in large organisations that desire a device security baseline, yet in this case the impact could be much larger than on the average Android user.

"Given how long the vulnerability has existed and that attackers have previously ‘snuck' malware onto the Google Play store, it is likely they would try again, possibly with a specific target in mind. It will be very interesting to see what else is revealed at the BlackHat conference next month," he said.

Craig Young, a security researcher at Tripwire, agreed noting that Bluebox researchers have found and disclosed what appears to be another critical Android vulnerability.

The vulnerability, he says, highlights some of the best and worst aspects of the Android security system. On one hand, he adds, Android's open nature attracts third party security review from white hat firms such as Bluebox whereas proprietary systems sometimes discourage security research and even take measures to hinder it.

"On the other hand, Android's fragmented ecosystem means that many devices will forever be affected by this vulnerability due to short device support windows and slow phone carriers. All is not lost for owners of unsupported devices however as long as they stick to applications obtained from the Google Play store and do not enable apps from untrusted sources," he said.

"Users without access to Google Play or who want an added layer of protection should install a mobile anti-virus product to detect this and other malicious apps," he added.

Mark James, technical team leader with ESET, said that one solution is to ensure your phone manufacturer updates its operating system on a regular basis, although users can, he explained, check for updates themselves.

"I also recommend trying to only download and install apps from the Google Play Store; any other location must be checked for authenticity. If a paid-for app on the play store is available free somewhere else it's likely to be fake," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews