A new Android flaw potentially affecting up to 80% of current handsets could leave users vulnerable to rogue apps – leapfrogging the defenses used to ensure malicious developers cannot sneak malware onto Android devices, according to the BBC’s report.
“It is very, very easy for malware to use this attack— it is silent, transparent, with no notifications to users,” Jeff Forristal of Bluebox Security, which uncovered the bug said. The bug allows apps to use digital signatures for other publishers and thus perform actions such as stealing data.
Google has patched the bug – but only for a limited number of handsets. Mark James of ESET UK says, “Android has released a patch (April) for its latest versions but that still leaves over 80% of Android users that could be unprotected.” The Guardian reports that Google’s own figures show 82.1% of users are running an older version.
The flaw has been present in all Android devices shipped since January 2010, Forristal says.
Android security – signature flaw
The “Fake ID” flaw relies on digital signatures used by major publishers, some of whom have special privileges including the ability to inject code into other apps (in the case of Adobe, to add Flash player, Forristal conjectures).
“The vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM,” says Forristal.
Forristal will present more details of his research at Black Hat 2014, saying, “This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device.”
Forristal writes, “All devices prior to Android 4.4 (“KitKat”) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the apps’s data, and being able to do anything the app is allowed to do.”
Google said in a statement, “After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”
PC World points out that the fragmented nature of the Android market means that such measures can take extended periods to reach some networks – if they do at all.
Android security – what to do
ESET’s Mark James says, “This flaw was present on all Android versions up to and including 4.4, that’s a lot of potential Android users that could be effected and the key word here is “could”, Android has released a patch (April ) for its latest versions but that still leaves over 80% of android users that could be unprotected.
“Most Android phones are configured to notify you of updates but leave you to choose if you want to do so, a lot of Android users if asked have no idea what version they have or probably could not tell you the latest version, the most common cause of this is their manufacturer is running their own version of Android and has not updated to the latest versions for reasons only they are aware off.”
As yet, there is no evidence that this flaw has been used – at least not on a large scale. Drastic steps such as Factory Resetting handsets do not seem to be necessary at this stage.
Mark James of ESET says that basic handset hygiene is the best defense. “Ideally the best solution is to ensure your phone manufacturer updates its OS on a regular basis, check for updates yourself on a periodic basis and install any updates immediately, also try wherever possible to only download and install apps from the Google Play Store. Any other location must be checked for authenticity, usually if a paid for app on the play store is available free somewhere else it’s likely to be fake, if you do decide to download an app from another source do some research on the web address, owner and make sure you READ THE REVIEWS if any are available, my advice would be if no reviews then DON’T download it.”