Millions of Android devices could be at risk from Fake ID flaw

AndroidFakeID_icon-300x300A newly uncovered flaw in Google's Android OS could leave large numbers of mobile devices at risk from malicious apps that appear to be from trusted developers.

Named 'Fake ID' by Bluebox Security who uncovered it and notified Google of its presence, the vulnerability lets malicious applications impersonate specially recognized trusted applications without any user notification. Although a patch was issued in April it's likely that many devices are still at risk.

The flaw can can be used by malware to escape the normal application sandbox and take one or more malicious actions. For example it could insert a Trojan horse into an application by impersonating Adobe Systems, gain access to NFC financial and payment data by impersonating Google Wallet, or take full management control of the entire device by pretending to be 3LM.

Advertisement

Fake ID has been present in Android versions from 2.1 to 4.4, although it was fixed in April as part of the latest patch, Google bug 13678484. Android KitKat is immune due to a change in the webview code. Millions of unpatched devices could still be at risk, however, Google's own statistics indicate that more than 80 percent of Android users are running older versions of the OS.

Fake ID works by exploiting a problem in the way Android uses digital IDs. Whilst the OS checks to see if an app has the right ID before granting privileges it doesn't check to see if that ID is properly issued, allowing forged ID codes to be used. It's also possible for a single app to carry multiple IDs making it possible to carry out several attacks.

Writing on Bluebox's blog chief technology officer Jeff Forristal says, "The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once, taking advantage of multiple signature verification privilege opportunities to escape the sandbox, access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provide to the user of the device".

Bluebox has released a Security Scanner app that checks to see if your device is exposed.

10 Responses to Millions of Android devices could be at risk from Fake ID flaw

  1. KingofPing says:

    Still requires the user to disable security on any device that ships with officially licensed Google Play. (These malicious apps are not available through the Play Store.)

    I'm only slightly less certain about the Amazon devices (Pretty sure those are safe as well unless you go outside Amazon for your apps).

    "Bluebox has released a Security Scanner app that checks to see if your device is exposed."

    Well, isn't that just the height of convenience.... /s

    No mention of whether Google's own app scanner (checks every app during install, which would be separate from the check mentioned above regarding escalation) detects apps attempting to use this, either. (Also suspiciously convenient...)

    • nikol kidman says:

      <<< Google is paying approx 80$ per>>CLICK FINENCIAL REPORT FOR MORE INFO<B

    • KingofPing says:

      ...aaaand, here it is:

      Google has confirmed to Android Central that the "verify apps" feature and Google Play have been updated to protect users from this issue. Indeed, app-level security bugs like this are exactly what the "verify apps" feature is designed to deal with. This significantly limits the impact of Fake ID on any device running an up-to-date version of Google Play Services — far from all Android devices being vulnerable, Google's action to address Fake ID via Play Services effectively neutered it before the issue even became public knowledge.

      Much ado about nothing there, Good Sir Ian.

      • Eric Sleeper says:

        Tell that to the millions of Android phones infected (granted not a USA problem). Plus, from your post, Google updated their 'verify apps' to protect from this issue, meaning it wasn't catching it before. And even their words, significantly limits the impact (key word limits). I'm also pretty sure from other articles, this patch is for 4.4 (at best 4), the millions running pre-4 are out of luck. Don't get me wrong, like you said, it's not a big deal if you Google Play Store, but it's still a big deal for millions of users.

      • KingofPing says:

        "Tell that to the millions of Android phones infected (granted not a USA problem)."

        Perhaps the OEMs who are making those Android devices should do something about that. (Re: Google couldn't fix those if they wanted to, they have no way of updating non Google-Experience devices....they are not part of Google's Ecosystem.)

        "Plus, from your post, Google updated their 'verify apps' to protect from this issue, meaning it wasn't catching it before."

        Before what..? Before it was discovered? Yeah. I guess their TARDIS ain't workin'. :) Their response time on this compared to other companies/ecosystems was phenomenal. Don't even *try* to argue that.

        "I'm also pretty sure from other articles, this patch is for 4.4"

        BZZZT. Sorry. It's part of Google Play Services which means every device running it (auto-updates on any device with the Play Store) gets patched. Last stat I saw that was something like 93% of devices accessing the Play store over a 30 day period. Probably higher now.

        "Don't get me wrong, like you said, it's not a big deal if you Google Play Store, but it's still a big deal for millions of users."

        Millions is as good a guess as any (but it's still just a guess). Too bad the shady OEMs making those devices aren't standing behind them. (Well, some of them hopefully are...)

        My point stands: This doesn't affect *anyone* using the Play Store who hasn't disabled their security, which by Google's own data accounts for over 90% of the Google Android ecosystem. Anyone buying Android devices outside of the Google Ecosystem is placing bets...this isn't news. (Amazon devices are probably a bit better off than the China knock-offs.)

      • Eric Sleeper says:

        Agree with some of your points, as reading about this from many sites, you get different pieces. I also agree, anyone downloading from the Google Play Store is probably OK (at least from the Fake ID). But I do find it funny, one of the selling points of Android was not being walled into one store...yet...here we are...if you want to be 'safe'.

      • KingofPing says:

        "one of the selling points of Android was not being walled into one store."

        According to whom? Personally, it's more about how easy it is to modify, but I am *not* your average Google Android user.

        For that matter, the average user probably doesn't even *know* there are more stores out there so I really don't know where you got that idea...Google Android has always been about the Android Market/Play Store.

        Even so, if that were/is the case: Amazon is probably pretty darn "safe", too. The FOSS "store" (cannot remember the name off the top of my head right now) is probably also safe. I bet there are more out there as well....just not US-centric. Sure they are responsible for their own security, but I'm pretty sure at least Amazon and the FOSS one are all over it.

  2. Eric Sleeper says:

    Ouch !

  3. nascent says:

    This what happens when you use old out of date technology.

  4. Michael Hammond says:

    Nice to see that no mention of whether it is Chinese knock-off devices are at risk or actual real retail devices are ..... the last article a blogger wrote about said it is the "end of the Android ecosystem" because several Chinese knockoffs were to blame for infections .... so basically this article is rendered useless without actual statistics.

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.