Android’s “Fake ID” Issue Could Allow Hackers to Steal Data from Millions of Devices

A security company by the name of Bluebox Security has been throwing warning out there in regards to a major flaw in Android operating systems that would potentially allow hackers to steal sensitive information from millions of devices without the user noticing it.

The company stated that the most affected users would be the ones owning an old Android handset that stopped receiving software updates. However, Android users should note that not all Android users are affected by the flaw at hand.

The “Fake ID” vulnerability, as Bluebox describes it, consists of the way the Android operating system processes the digital signature identities attached to apps from various vendors. The OS is said to be configured to automatically accept Adobe apps for example, or other vendors including the device management outfit 3LM. In addition, some apps bearing the latter vendor signatures can automatically plug into other apps in ways other apps cannot.

What is more worrying is that since Android 2.1, the Android package installer is said not to have properly checked the identity certificates, therefore apps claiming to come from trusted vendors could eventually end up being from another ‘vendor’.

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains… both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.” a Bluebox expert stated.

This way, hackers could have easily impersonate a 3LM signature and allow malware to take control of many devices, functions and apps, including Google Wallet features. Bluebox is stated to have notified Google of the security breach back in April.

However, up until now, Motorola is stated to have rolled out a patch for some of its devices. The experts say that there is no recorded breach of security using the above technique. Even so, a good practice is to only allow app installations from trusted sources and be weary of schemes that try to install specific ‘dodgy’ applications.

Thank you Gigaom for providing us with this information
Image courtesy of Gigaom