Bluebox Labs, a part of Bluebox Security, has discovered a flaw in Android that allows malware to pose as legitimate apps. This problem applies to all Android devices lower than Android 4.4 KitKat that are not patched against Google bug 13678484. Google released this patch in April 2014, but millions of devices are still at risk because many device makers have yet to distribute the patch.
"All devices prior to Android 4.4 are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of data of the apps's, and being able to do anything the app is allowed to do," Bluebox's Jeff Forristal wrote.
Forristal adds that devices with KitKat installed are immune because Google switched from webkit to Chromium, which moved away from the vulnerable Adobe-based plugin code. Currently, only 18 percent of the Android devices on the market have installed KitKat, leaving 82 percent wide open for what the security firm calls "Fake ID."
Essentially, the problem is that because of the flaw, malicious apps can provide Android with a fake identification so that they can pose as legitimate apps. Forristal says that malware could gain access to NFC and payment data by impersonating Google Wallet. Further, malware could inject a Trojan horse into a legit application by impersonating Adobe Flash, or take full control of the entire device by posing as 3LM.
"Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware," he writes. "The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well."
Forristal adds that additional applications and devices that depend on the presence of specific signatures to authenticate an application are likely vulnerable. "Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability," he adds.