Feature Article

Free eNews Subscription>>
July 31, 2014

Certificate Verification Flaw in Android Exposes Users to Malware

Hackers are an incredibly smart group of criminals. In most cases, they show more creativity than the person or group who created the application they are hacking into. You have to constantly be on guard since there seems to be new malware popping up almost every day. Malicious software or Malware as it is more commonly known is defined as any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

In most cases, when an attack is discovered, the protectors work overtime to make sure the malware is discovered, removed and you are kept safe once again. This week, we are learning that the majority of devices running Google's Android operating system are susceptible to hacking. These hacks allow malicious apps to bypass a key security sandbox, which is a security mechanism for separating running programs. By bypassing the security sandbox, hackers can steal user credentials, read email and access payment histories along with other sensitive data.

As I mentioned above, we have come to expect that as soon as a flaw or hole in the system is found that it is filled, denying access to the malware. That is why this news so disturbing. Apparently, this vulnerability, which seems to be substantial, has existed in the operating system since the release of Android 2.1. If you don’t remember that version came out four years ago in 2010.

If you do not find that news alarming, maybe you will find this upsetting; it appears that Google was aware of it. Google developers have been making some changes designed to limit some of the damage that malicious apps can do in Android 4.4, however the underlying bug remains unpatched. In fact, it still exists in the latest version that was previewed, Android L.

Back in the 60’s, Bluebox was a phone hacking device used to steal phone calls, today it is a company whose goal is to secure mobile data wherever it goes. Jeff Forristal, who is the CTO of Bluebox Security, said "All it really takes is for an end user to choose to install this fake app and it's pretty much game over. The Trojan horse payload will immediately escape the sandbox and start doing whatever evil things it feels like, for instance, stealing personal data."

This four year old bug in the Android OS has a name, it has been called Fake ID. This is in reference to the fact that it acts in much the same way as a fake driver’s license. Minors would use such a card to enter a bar or other location that they shouldn’t have access to. Fake ID grants malicious apps special access to Android resources that are typically off-limits. What I find particularly disturbing about this sentence is the “s” in apps. It is not vulnerable to just a single app, but many!

There are several apps that have certain special privileges in Android. For instance, until version 4.4 Adobe Flash was permitted to act as a plugin for any other app installed on the phone. This was needed to allow it to add animation and graphics support. In much the same way, Google Wallet is permitted to access Near Field Communication hardware so that it can processes payment information.

Normally, the OS relies on credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. The problem is attributed to the fact that there is a failure of Android verifying the validity of cryptographic certificates that accompany each app installed on a device. Once out of the sandbox, as Forristal said, it is all over!

Although Google did make some changes, such as limiting some of the privileges that Android grants to Flash, the failure to verify the certificate chain is still there. That means that there are still a lot of insecurities in version 4.4. Forristal went on to say, "With this vulnerability, malware has a way to abuse any one of these hardcoded identities that Android implicitly trusts. So malware can use the fake Adobe ID and become a plugin to other apps. Malware can also use the 3LM to control the entire device."

Without going into any specifics about the fixes and patches, Google responded to the Bluebox comments in a statement that read;

We appreciate Bluebox responsibly reporting this vulnerability to us; third-party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.




Edited by Maurice Nagle


FOLLOW MobilityTechzone

Subscribe to MobilityTechzone eNews

MobilityTechzone eNews delivers the latest news impacting technology in the Wireless industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter