Bluebox Labs, a part of Bluebox Security, has discovered a flaw in Android that allows malware to pose as legitimate apps. This problem applies to all Android devices lower than Android 4.4 KitKat that are not patched against Google bug 13678484. Google released this patch in April 2014, but millions of devices are still at risk because many device makers have yet to distribute the patch.
"All devices prior to Android 4.4 are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of data of the apps's, and being able to do anything the app is allowed to do," Bluebox's Jeff Forristal wrote.
Forristal adds that devices with KitKat installed are immune because Google switched from webkit to Chromium, which moved away from the vulnerable Adobe-based plugin code. Currently, only 18 percent of the Android devices on the market have installed KitKat, leaving 82 percent wide open for what the security firm calls "Fake ID."
Essentially, the problem is that because of the flaw, malicious apps can provide Android with a fake identification so that they can pose as legitimate apps. Forristal says that malware could gain access to NFC and payment data by impersonating Google Wallet. Further, malware could inject a Trojan horse into a legit application by impersonating Adobe Flash, or take full control of the entire device by posing as 3LM.
"Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware," he writes. "The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well."
Forristal adds that additional applications and devices that depend on the presence of specific signatures to authenticate an application are likely vulnerable. "Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability," he adds.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Your fingerprints can be recreated from the sounds made when you swipe on a touchscreen — Chinese and US researchers show new side channel can reproduce fingerprints to enable attacks
Russian military botnet discovered on 1000+ compromised routers — FBI deactivated Moobot by taking control of impacted routers
Yeah would be fun to see an update on my LG Optimus G, but it's very unlikely I'll get another update on that phone.Reply
I read a few days ago on a better informed site that Google (which updates Google Play Services) has implemented a fix in their "verify apps" option. All a user has to do is to make sure that the respective option is checked in their settings. In 4.4 this is enabled by default.Reply
Of course, pushing these updates outside the OS updates (as it's already being done) means that phones that are in use (therefore receiving Services updates via Google Play automatically) have this option already. That article (was on either Android Central or on Android and Me) thus explained the "lateness" of this security scare.
Tom's is reporting this again? This isn't anything new..... "Fake ID" was used to scare people last year......and coincidentally, from "Bluebox Labs"....Reply
Adobe and vulnerable. 2 words that should always be said together and should never be without the other.Reply
Why did you forget to add the detail that Google has already said that anyone with an up to date Play Store are safe, too? As it'll scan for malware like this.Reply
Then it'd be harder to present as new "news" since it's quite old.....Reply