Millions of Android devices exposed to fake ID flaw

Pierluigi Paganini July 30, 2014

Android devices are affected by a critical vulnerability which allows a malicious app to impersonate a trusted application inheriting its permissions.

Researchers at Bluebox Security have discovered a critical vulnerability in millions of Android devices that allow a malicious app to impersonate a trusted application in a stealthy way, allowing a bad actor an attacker to perform different malicious actions.

An attacker exploiting the vulnerability could insert malicious code into a legitimate app or gain complete remote control or the targeted device, this is possible due to the way Android OS implements certificate validation through the certificate chain, the flaw is present in all versions of Android.

The researchers explained in a blog post that all those Android mobile devices which run 3LM administration extension, like HTC, Pantech, Sharp, Sony Ericsson, and Motorola are particularly exposed to the risk of a hack

“Every Android application has its own unique identity, typically inherited from the corporate developer’s identity. The Bluebox Security research team, Bluebox Labs, recently discovered a new vulnerability in Android, which allows these identities to be copied and used for nefarious purposes.” said Jeff Forristal, CTO of Bluebox Labs.

Android flaw mobile

Each Android app is signed with digital certificates that allow the unique identification for its author, but the experts at Bluebox discovered that the Android app installer doesn’t properly validate the certificate. The attacker can create an app with a fake identity and impersonate an app with extensive privileges, let’s image, for example, that he target victims impersonating the Adobe plug-in, in this case the malicious app would have the ability to escape the sandbox and run malicious code inside another app.

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate,”

“Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.” states the blog post.

Forristal will present the Android vulnerability in a speech at the next BlackHat conference in Las Vegas, he already have anticipated that it is possible to exploit the flow in many different ways.

“You could use any app distribution mechanism, whether it’s a link in SMS or a legitimate app store. Look at other Android malware. You do it whatever it takes for the user to say, Yeah I want that app,” he said. “It’s certainly severe. It’s completely stealth and transparent to the user and it’s absolutely the stuff that malware is made of. It operates extremely consistently, so in that regard it’s going to be extremely attractive to malware.”

It is important to remark that the application’s signature establishes who can manage the application and its data. The mechanism is used by Android OS also to determine the permissions assigned specific apps, some permissions are granted only to applications that have the same signature as the permission creator.

In an another example provided in the blog post, the experts have examined the case of an application with the signature specified by the device’s nfc_access.xml file, typically the signature for the Google Wallet application. An attacker could create an app with this signature to access NFC hardware and access payment information made via Google Wallet.

Bluebox has collaborated with Google to fix the flaw, a patch was released by Google to its partners in April, but the distribution of the updates to the end users is a carriers’ responsibility.

Pierluigi Paganini

Security Affairs –  (Android, digital certificate)



you might also like

leave a comment