Big Android "Fake ID" Security Threat Uncovered

Bluebox Labs, a part of Bluebox Security, has discovered a flaw in Android that allows malware to pose as legitimate apps. This problem applies to all Android devices lower than Android 4.4 KitKat that are not patched against Google bug 13678484. Google released this patch in April 2014, but millions of devices are still at risk because many device makers have yet to distribute the patch.

"All devices prior to Android 4.4 are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of data of the apps's, and being able to do anything the app is allowed to do," Bluebox's Jeff Forristal wrote.

Forristal adds that devices with KitKat installed are immune because Google switched from webkit to Chromium, which moved away from the vulnerable Adobe-based plugin code. Currently, only 18 percent of the Android devices on the market have installed KitKat, leaving 82 percent wide open for what the security firm calls "Fake ID."

Essentially, the problem is that because of the flaw, malicious apps can provide Android with a fake identification so that they can pose as legitimate apps. Forristal says that malware could gain access to NFC and payment data by impersonating Google Wallet. Further, malware could inject a Trojan horse into a legit application by impersonating Adobe Flash, or take full control of the entire device by posing as 3LM.

"Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware," he writes. "The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well."

Forristal adds that additional applications and devices that depend on the presence of specific signatures to authenticate an application are likely vulnerable. "Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability," he adds.

Follow Kevin Parrish @exfileme. Follow us @tomshardware, on Facebook and on Google+.

  • iogbrideau
    Yeah would be fun to see an update on my LG Optimus G, but it's very unlikely I'll get another update on that phone.
  • house70
    I read a few days ago on a better informed site that Google (which updates Google Play Services) has implemented a fix in their "verify apps" option. All a user has to do is to make sure that the respective option is checked in their settings. In 4.4 this is enabled by default.
    Of course, pushing these updates outside the OS updates (as it's already being done) means that phones that are in use (therefore receiving Services updates via Google Play automatically) have this option already. That article (was on either Android Central or on Android and Me) thus explained the "lateness" of this security scare.
  • sykozis
    Tom's is reporting this again? This isn't anything new..... "Fake ID" was used to scare people last year......and coincidentally, from "Bluebox Labs"....
  • Skippy27
    Adobe and vulnerable. 2 words that should always be said together and should never be without the other.
  • therealduckofdeath
    Why did you forget to add the detail that Google has already said that anyone with an up to date Play Store are safe, too? As it'll scan for malware like this.
  • sykozis
    Then it'd be harder to present as new "news" since it's quite old.....