Sign in with
Sign up | Sign in

Big Android "Fake ID" Security Threat Uncovered

By - Source: Bluebox Security | B 6 comments

Bluebox Labs, a part of Bluebox Security, has discovered a flaw in Android that allows malware to pose as legitimate apps. This problem applies to all Android devices lower than Android 4.4 KitKat that are not patched against Google bug 13678484. Google released this patch in April 2014, but millions of devices are still at risk because many device makers have yet to distribute the patch.

"All devices prior to Android 4.4 are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of data of the apps's, and being able to do anything the app is allowed to do," Bluebox's Jeff Forristal wrote.

Forristal adds that devices with KitKat installed are immune because Google switched from webkit to Chromium, which moved away from the vulnerable Adobe-based plugin code. Currently, only 18 percent of the Android devices on the market have installed KitKat, leaving 82 percent wide open for what the security firm calls "Fake ID."

Essentially, the problem is that because of the flaw, malicious apps can provide Android with a fake identification so that they can pose as legitimate apps. Forristal says that malware could gain access to NFC and payment data by impersonating Google Wallet. Further, malware could inject a Trojan horse into a legit application by impersonating Adobe Flash, or take full control of the entire device by posing as 3LM.

"Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware," he writes. "The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well."

Forristal adds that additional applications and devices that depend on the presence of specific signatures to authenticate an application are likely vulnerable. "Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability," he adds.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

Add a comment
Ask a Category Expert
React To This Article

Create a new thread in the News comments forum about this subject

Example: Notebook, Android, SSD hard drive

  • 2 Hide
    iogbrideau , July 30, 2014 10:10 AM
    Yeah would be fun to see an update on my LG Optimus G, but it's very unlikely I'll get another update on that phone.
  • 1 Hide
    house70 , July 30, 2014 2:17 PM
    I read a few days ago on a better informed site that Google (which updates Google Play Services) has implemented a fix in their "verify apps" option. All a user has to do is to make sure that the respective option is checked in their settings. In 4.4 this is enabled by default.
    Of course, pushing these updates outside the OS updates (as it's already being done) means that phones that are in use (therefore receiving Services updates via Google Play automatically) have this option already. That article (was on either Android Central or on Android and Me) thus explained the "lateness" of this security scare.
  • -1 Hide
    sykozis , July 30, 2014 2:38 PM
    Tom's is reporting this again? This isn't anything new..... "Fake ID" was used to scare people last year......and coincidentally, from "Bluebox Labs"....
  • Add your comment Display all 6 comments.
  • 0 Hide
    Skippy27 , July 31, 2014 1:55 PM
    Adobe and vulnerable. 2 words that should always be said together and should never be without the other.
  • 0 Hide
    therealduckofdeath , July 31, 2014 1:57 PM
    Why did you forget to add the detail that Google has already said that anyone with an up to date Play Store are safe, too? As it'll scan for malware like this.
  • 0 Hide
    sykozis , August 1, 2014 6:01 AM
    Then it'd be harder to present as new "news" since it's quite old.....
React To This Article