Bug in Android could allow access to personal data
Fake ID vulnerability allows hackers to pass off malware as trusted apps
A vulnerability has been detected in Google Android that can allow malware to be passed off as authorised applications which can control device settings and access user information including credit card data.
BlueBox Security reported the bug, which it has called ‘Fake ID' to Google. Google has created a fix, although it not all handset manufacturers have pushed it to users yet.
Fake ID works because of incomplete checking of certification signatures related to Android apps. Android checks an app has the right ID before granting it special privileges, but it fails to double-check that the certification signature involved was properly issued and not forged.
This means that a hacker can create their own identity certificate, falsely claim it has been signed as trustworthy by a trusted third party, and then use that identity certificate to sign a malicious piece of software. Android will then accept that the malware is ‘trusted', with no further attempts at verification, allowing the malware to access special privileges.
The vulnerability dates back to Android 2.1 released in January 2010.
BlueBox says that the flaw could have particular seriousness because the certification system allows certain privileges to trusted certificates. An application bearing the signature (i.e. the digital certificate identity) of Adobe Systems is allowed to act as a webview plugin of all other applications, presumably to support the Adobe Flash plugin. In another example, the application with the signature specified by the device's nfc_access.xml file (usually the signature of the Google Wallet application) is allowed to access the NFC SE hardware.
Google has acknowledged the issue, and released a fix, although phone manufacturers still need to incorporate that fix into firmware updates and push it out to users.