Google fixes Android's Fake ID security hole

Google fixes Android's Fake ID security hole

Summary: Bluebox Labs recently discovered a new serious security Android vulnerability. Google has released a fix for it. If you're not careful, though, you could still be in danger.

SHARE:

Bluebox Security, a mobile security company, has found a serious Android security hole that dates all the way back to Android 2.1. This hole, Fake ID, can be used by malware to impersonate trusted applications without any user notification.

Android Fake ID Icon
The Android Fake ID security hole has been patched, but it still poses a potential threat.

Can you say bad news? I knew you could.

By enabling malware to act like already approved, high-level programs, Bluebox claims that Fake ID "can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC [Neat Field Communication] financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM." Ironically, 3LM is part of an Android enterprise security system.

Bluebox is not exaggerating. This security hole has the potential to be a major problem. This hole exists in all versions of Android from 2.1, Eclair, to 4.3.1, Jelly Bean. It's not present in Android 4.4.x, KitKat.

Here's the good news: Google has patched the hole and it hasn't been exploited yet. 

Special Feature

Why business leaders must be security leaders

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

A Google spokesperson said, "We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP [Android Open Source Project]. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

So, for now, you're safe. To make sure you stay that way, follow these basic Android security steps. 

  • Don't visit, and whatever you do don't download, materials from suspicious Web sites. Porn sites are especially dangerous.
  • Don't download programs from third-party Android stores.
  • Look carefully at any program before you install it to make sure it's legitimate and it only asks for necessary permissions.
  • Upgrade, if possible, to the latest version of Android.
  • Use high-quality anti-virus software. Check the most recent Android security apps comparison for your best anti-virus option.

So how did this hole open? According to Bluebox, every Android application has its own unique cryptographic identity. This is in the form of a public key infrastructure (PKI) certificate, which incorporates its corporate developer’s identity.

So far so good. Bluebox explained, "As part of the PKI standard, an identity certificate can have a relationship with another identity certificate: a parent certificate ('issuer') can be used to verify the child certificate. On an Android system, the digital certificate(s) used to sign an Android application become the application’s literal package “signature”, which is accessible to other applications via normal application meta-data APIs [application programming interfaces]."

Here's where it gets tricky.

This application signature, according to Bluebox, "establishes who can update the application, what applications can share its data, etc." And, some "signatures are given special privileges in certain cases." For example, some signed applications can act as a webview plug-in, allow access to the NFC hardware, or even "allow for silent management, configuration, and control of the device."

That's still fine... so long as you can trust the signature system. It turned out, you couldn't. Bluebox found that the Android package installer makes no attempt to verify the authenticity of a certificate chain.

Ouch!

So, if a malware writer creates an app with a forged digital identity certificate, Android doesn't try to make sure it's really from the vendor it claims it is by checking the forged issuer signature against the real developer's public certificate.

Oops.

So, with a forged digital identity certificate, an attacker's application can use the legal app's special privileges. Worse still, "multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide to the user of the device."

To avoid Fake ID attacks, follow the steps I outlined above. If you're stuck with a device with an older version of Android, bug your vendor to release a fix as soon as possible. While no one has used this security hole in the wild yet, it's only a matter of time until someone does.

Related stories:

Topics: Security, Android, Google, Mobility

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

35 comments
Log in or register to join the discussion
  • I thought zdNet was a leading tech site

    Yet I read about this on the BBC hours ago............

    Spread bet on the total number of comments on this article, anyone?
    Boothy_p
  • those of us with the un-fragmented, $300 no contract nexus 5

    would get an update right away (although its already been fixed for a while).

    However for those supposed people who are "up in arms" about "android" update problems, but still haven't figured out they should buy well supported, no contract, unlocked phones like play store edition or moto phones, rather than blame google and/or "android" that their "no-name" phone isn't getting updated, they will soon get a play services (to android 2.2) update that will prevent installation of any app that takes advantage of this bug, that also got past the play store scanner.
    drwong
    • The bug originates at Google, so why blame everyone else?

      Fact is there are more AOSP android devices sold in the world than Google Play approved devices. Fixing the Play Store app does nothing for those versions of Android.

      It all boils down to the fact that there is no real reliable mechanism to send out a security fix for any variation of Android with a very very small exception.

      Even Motorola was one of the worst at updating their devices (read: abandon) and they were own by Google who is in charge of Android.

      The problem is Android, not everyone else. The fragmentation is a pretty massive problem and if Google made something, anything that gave developers an easy way to download and install security updates it would go a long way towards resolving these problems.
      Emacho
    • really?

      My Galaxy Nexus (that's "Nexus" as in "no contract, unlocked phone" bought from Google Play) is still stuck at 4.3. Just did a "check for updates", nada. We'll see if/when I get my fix. I've yet to see any evidence that this will be fixed in a Google Play Services update rather than an update to Android itself. Seems to me like this really needs to be fixed in Android.

      I guess by "well-supported" you didn't mean bought from Google.
      frylock
  • Going to back port it?

    Are they going to backport it all the releases since many people are stuck on old ones?
    Buster Friendly
    • This is the best line

      "If you're stuck with a device with an older version of Android, bug your vendor to release a fix as soon as possible."

      So about 1,000,000,000 people. Forever stuck. Ok.
      Bruizer
  • If you're stuck with an older version?

    Am I right in assuming that those who don't get timely upgrades from their vendor are still able to protect themselves by following the safe computing 'Don't visit, don't download, and use anti-virus software' suggestions listed above?
    UGottaBKidding
    • sigh.

      If your phone is old, go and put cyanogenmod on it.. They have a pretty windows installer now that they are mainstream and lots of phones are covered.

      So you can get the latest if you want it.

      Also, I believe 18 Percent of phones are kitkat now. the bug was fixed in asop, so anyone that runs a modern Asop is already fixed.
      frankieh
  • Funny!

    "Upgrade, if possible, to the latest version of Android."

    Good luck with that unless you bought a Nexus or a Google Play Edition.
    MajorlyCool
    • Entirely possible

      And takes 10 mins, if you know what you are doing.
      Boothy_p
      • id call this a no value post

        Anyone that knows didn't learn anything & anyone that doesn't know didn't learn anything either.

        But I guess you just meant to snipe
        greywolf7
        • You should never purschase a Samsung phone

          They never update their OS in time.

          Always go with Nexus line.
          Uralbas
          • backwards thinking

            One of the main strengths of android is the variety of phone available. The solution to security shouldn't be to avoid ever phone but 1 or 2 models.

            Android needs a reliable method of delivering updates. It isn't just Samsung that doesn't update their phones, it is almost every android phone maker. Even Motorola was terrible about system updates and they were owned by Google.
            Emacho
          • They should deliver through GPS

            As I'm pretty sure the ability to completely control updates has been lost now.

            Then they'll have all the open source brigade on their back about delivering updates through a proprietary service outside of AOSP.

            Security updates and version should be separate.
            Boothy_p
          • The open source brigade uses Replicant

            And its default Android app 'repository' is F-Droid which offers only FOSS apps.

            This is as close as one can get to GNU/Linux with Android (actually, AOSP).
            Rabid Howler Monkey
          • Samsung Phone

            My Samsung Galaxy III just updated to Kitkat last week.
            pfrench@...
          • Nexus meh

            My GN has been at 4.3 for a long time. Nexus devices may be good at getting updates for a while, but they can EOL pretty quickly. I guess I have to buy a new device every two years, just like the contract guys?
            frylock
    • I did buy a nexus

      anybody else who bought some random android based phone who was clueless will not care and chances are not be affected.
      drwong
    • Root it, load it.

      I've rooted every Android device I've owned, and many friends devices; to get rid of carrier and manufacturer bloatware. Currently running a LiquidSmooth ROM KK3.1 (Android 4.4.4) and couldn't be happier. Updates are released regularly, and the active developer network is very responsive to bugs or undocumented features.
      l_creech
      • Almost no one does that.

        The problem is that you are not a typical Android user. Most have bought cheap, bargain basement phones and are vulnerable which is a major issue. Hopefully they will learn of this and stay away from shady sites and sources.
        Jason2025