Android users warned of critical vulnerability

A critical vulnerability affecting millions of Android devices could let a hacker take control of a smartphone or insert malicious code in another app, security researchers say.

Called Fake ID, the vulnerability was discovered by researchers at vendor Bluebox Security, which worked with Google on a patch released to device manufacturers and carriers in April.

[F-Secure says 99 percent of mobile malware targets Android, but don't worry too much]

Bluebox made the vulnerability public Tuesday in a blog post that said the flaw affects all versions of Android from 2.1 to 4.4, known as Kit Kat.

The vulnerability is in the way the mobile operating system handles certificate validation. The flaw even affects devices with the 3LM device administration extension, including those from HTC, Pantech, Sharp, Sony Ericsson and Motorola.

3LM provides enterprise security features, such as the ability to white list or black list applications in accessing corporate resources or to wipe all data from a device remotely.

Developers are identified in Android apps through the use of digital certificates. Bluebox discovered that the Android app installer fails to properly authenticate the identity certificate, which means an attacker can create an app with a fake identity to gain the same privileges granted to the developer of the legitimate app.

An Adobe plug-in and Google Wallet are examples of apps with lots of privileges that could be exploited.

In the case of an Adobe plug-in, the fake app could gain the privilege to insert malicious code in other apps to steal data. With Google Wallet, an attacker could gain access to the near-field communication (NFC) chip in the device.

The NFC chip is where an Android smartphone stores payment information that a store's electronic payment system will read in completing a purchase.

While a patch is available, whether Android users have had the opportunity to update their phones depends on how quickly their carrier pushes out the patch, a process that can take months, if it happens at all.

To compromise a smartphone, the attacker would have to find a way to have an app with a fake identity installed on the smartphone. This could be done through a malicious download link sent in a text message or if the person uses third-party app stores with poor security.

In general, the risk of downloading apps with known exploits is low for software bought through Google Play, the official Android store.

Once a malicious app containing Fake ID is on the phone, it can bypass the security measures Android typically has in place, which includes asking the user for approval before granting certain privileges to the app.

"Once it's installed -- done, boom, game over," Jeff Forristal, chief technology officer of Bluebox, said.

Companies using mobile device management (MDM) software configured to enforce strict policies on application installation would have the best chance avoiding infection.

[How to defend against the latest Android kernel flaw]

Michael Shaulov, chief executive of Lacoon Mobile Security, recommends enforcing that applications are only installed from reputable sources and educating employees on how to avoid downloading malicious apps.

"Enterprises should also look to leverage solutions that are able to detect advanced threats," Shaulov said in an email. "In this case being able to identify apps containing a malformed chain-of-trust."

Join the CSO newsletter!

Error: Please check your email address.

Tags MotorolaEricssonmobile device management (MDM)sharpmobile credentialsmalwaremobile application securitymobile malwarehtcGooglesecuritymobile device securityf-securesoftwareMalware and Vulnerabilitiesonydata protectionBluebox Securityapplications

More about Ericsson AustraliaF-SecureGoogleHTCMotorolaNFCSharpSonySony Ericsson

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place