This bit of news is terrifying & we suggest all Android users sit up & take note. Researchers from the US-located Bluebox Labs have discovered an Android vulnerability that lets malware take over your apps, steal data….basically even take control of your phone.

Announcing this on the firm’s blog, Bluebox’s Jeff Forristal has dubbed it ‘Fake ID’. The vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. Citing an example, he said the vulnerability can be used by malware to escape the normal application sandbox & take 1 or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

By now, readers are getting the significance of what Forristal is saying.

Worse, Fake ID affects almost all Android phones. Bluebox said the vulnerability dated back to the January 2010 release of Android 2.1 & affected all devices that were not patched for “Google bug 13678484,” which was disclosed to Google & was released for patching in April.

Android applications use the same certificate signature concepts as SSL, including full support for certificates that are issued by other issuing parties (commonly referred to as a “certificate chain”). Application signatures play an important role in the Android security model. An application’s signature establishes who can update the application, what applications can share it’s data, etc. Certain permissions, used to gate access to functionality, are only usable by applications that have the same signature as the permission creator. More interestingly, very specific signatures are given special privileges in certain cases.

Explains Forristal: However, Bluebox Labs discovered a vulnerability that has been relatively present in all Android versions since Android 2.1, which undermines the validity of the signature system and breaks the PKI fundamental operation. The Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer). For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates.

There’s more of the security mumbo jumbo in the blogpost, but by now, our readers must have got the basic picture – if you have been using an Android based device, you may have been compromised.

Install the Bluebox Security Scanner to see if you’ve been exposed to this vulnerability.

Image Credit: Bluebox

Advertising Message