Bluebox Security, the company whose research discovered the security hole, has dubbed it the “Fake ID” Vulnerability. In short, the concern is that a malicious application can impersonate a trusted application, and thus, gain access to data and privileges on your phone that you would not have intended to grant it.
What is Fake ID All About?
Every Android application bears a digital signature, which serves as its ID to the operating system. However, Bluebox discovered that the operating system doesn’t actually verify the authenticity of this signature. So, an app can use the Fake ID flaw to fool the device into giving it permissions and hardware access that a trusted program would be entitled to.
These digital certificates are connected to the publishers of the software. So, by designing a program that carries Fake ID, a hacker can produce a variety of highly risky consequences. By impersonating Adobe, for example, a trojan horse can be slipped into the application. Spoofing Google Wallet’s credentials could achieve access to sensitive financial data. And a Fake ID pretending to be 3LM could gain complete control of the device.
Who Is Affected By Fake ID?
This bug has been present in all versions of the Android OS starting with Android 2.1 (“Eclair”). The Adobe System webview plugin privilege escalation affects all devices running all versions prior to Android 4.4 (“KitKat”). This allows trojan horse code to be injected into an application, giving it the power to take control of the app, see and control its data, and anything else that the app has the rights to do.
In Android 4.4, the webview component has been changed, as Android has moved from webkit to Chromium, so the Adobe webview plugin is not an issue. But the Fake ID is still a concern.
Additionally, any devices that employ device administration extensions by 3LM (these include a number of devices made by HTC, Pantech, Sharp, Sony Ericsson, and Motorola ) are subject to compromise by Fake ID.
Basically, any device or software that uses authentication by digital signatures is at risk of being hit by the Fake ID bug.
How Does Fake ID Work?
Android applications are identified to the operating system by means of a PKI digital certificate. Like HTTPS/SSL in web browsers, the PKI standard allows one entity to essentially vouch for another. The “parent” can verify the “child”, in a chain of trusted parties.
While this practice should be effective in theory, the flaw in Android is that it neglects to verify the integrity of the “certificate chain”. This could allow a hacker’s app to flash its fake ID, and like a youth showing a phony driver’s license at the door or a bar, obtain all the permissions intended for a trusted application.
Does Fake ID Put You At Risk?
The Fake ID vulnerability was unearthed by Bluebox’s researchers back in March. Google created a patch in April, and released it to both OEMs and the AOSP team, who were given 90 days to implement the fix before Bluebox released the information to the public.
Google has also stated that they’ve scanned everything in the Play Store, and has not found any exploits, and, to date, none have been found “in the wild”.
Bluebox themselves has also released an app which will scan your device to determine whether the system is susceptible to Fake ID or if any apps installed on it and attempting to take advantage of this flaw.
So, it looks like all parties are in the process of doing what they should, and for the most part, users should be at little risk. But be sure to apply those security updates when you see them, and be extra cautious about installing apps that come from sources other than the Play Store.
Source: Bluebox Security
Google Play Store: Bluebox Security Scanner