A 4-Year Old Android Vulnerability Responsible for ID Thefts Remains Unpatched in Android L Preview

A 4-Year Old Android Vulnerability Responsible for ID Thefts Remains Unpatched in Android L Preview

by Dan Vlasic on 6 August 2014 · 1842 views

Android L Preview, source: BGRA 4-year old security bug that enables malicious apps gain access to users' payment information, as well as some other highly sensitive data, remains largely unpatched even in Android L preview.

Security researchers at Bluebox Security discovered a bug in Android 2.1 they called Fake ID, as an analogy to a fake driver's license Justin Bieber used when he was underage and wanted to race some Lamborghinis.

That was back in 2010, and all Android devices became susceptible to malicious apps, or seemingly legitimate apps that have a second, hidden purpose. A result of a malware exploiting this hole is usually identity theft, email hacks, or credit card hijacking. The sad part is many victims don't realize how the theft happened even when they face the fact they've been silently robbed.

No wonder security community laughs at Google's stance that Android is the safest mobile OS there is. It's not, and last year's statistics showed that nearly 100% of paid apps on Google Play were hacked, implanted with a great variety of malicious pieces of code and re-uploaded again. Neither Google, nor developers of the legitimate paid apps were aware, or responded publically to the report.

I guess this qualifies the bug as a very important one, which only leaves us wondering why on earth Google releases Android L preview with the hole largely unpatched. Android OS developers made an attempt at partially patching it in Android 4.4, but the patch only managed to limit some types of malware while the bug itself remains in the OS until now. It looks like it still may persist in the next iteration of Android OS, as neat as it looks.

Fake ID Android Bug

Android OS epically fails at the stage of verifying whether the cryptographic certificates coming with each installed app are valid or not. The truth is the operating system relies on credentials provided by apps when granting them certain privileges, which enable some apps to bypass the OS sandbox.

Android sandbox basically keeps apps to themselves, not allowing them access other apps' data, especially the sensitive part of it, as well as from accessing vital parts of the OS itself. The privileged apps, however, are allowed to venture outside the sandbox.

Android can not effectively verify the chain of certificates that prove an app qualifies for such highly privileged access, or not, which enables malware to pretend it's a legitimate Google Wallet by providing a fake certificate, Fake ID.

As a result, the OS grants the malware elite access without taking the trouble to verify whether the app's ID is valid. Once the user taps 'install' for such a malicious app, Android welcomes the thief as a policeman, and the little devil starts doing its thing - stealing your money, identity, secrets.

Known Mimicked Apps

There is already a list of legitimate apps with certificates mimicked by malware exploiting Fake ID bug, namely - Adobe Flash, Google Wallet, device management extensions by 3LM, which are largely used by enterprise customers. Can you imagine how much hardcore damage is done by malware disguised as Google Wallet, which has privileges to access some crucial hardware components? The malware gains admin rights and breaks wild. There may be, and most likely are, a lot more highly privileged apps that are mimicked by imposters.

Older OS Versions Are Not Likely to Be Patched

As always is the case with the highly fragmented market of Android devices, customers face the glass ceiling of Google -> Device Manufacturer -> Wireless Carrier chain involved in every OS update roll out, and in many cases the older devices are not even meant to receive an update. The trick may force some consumers buy a newer device, others switch to a custom ROM while not so technically savvy will remain with the outdated version. This is not to mention devices by second league manufacturers that never or very seldom release OS updates for existing devices.

Even though Google released a partial patch, it got stuck somewhere in that long, idle, bureaucratic chain of big businesses. Again, in a statement answering Bluebox revelations, Google does not specify what exactly has been done to patch the bug. Instead, it says they quickly scanned all apps submitted to the marketplace, and found no proof of apps exploiting the vulnerability. Alas, complete unaccountability of corporations give way to a large number of abuses on all levels from individual developers to manufacturers and carriers.

Source: ArsTechnica, The Guardian.

Comments (0)
Featured Articles