An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user’s credit card data and take control of the device’s settings.
BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.
The company added it had alerted Google to the problem in advance to allow it to mend its operating system.
Google confirmed it had created a fix.
“We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users,” said a spokeswoman. “After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project.”
However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.
BlueBox has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs – known as certification signatures – used to verify that certain apps are what they appear to be. The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.
Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman’s employer to check he is really on its books.
“That missing link of confirmation is really where this problem stems,” he said. “The fundamental problem is simply that Android doesn’t verify any claims regarding if one identity is related to another identity.”
To make matters worse, he added, a single app can carry several fake identities at once, allowing it to carry out multiple attacks.
Mr Forristal gave three examples of how a faked certification signature might be used to cause harm:
The app pretends to be created by Adobe Systems – Adobe is granted the privilege of being able to add code to other apps in order to support their use of its Flash media-player plug-in. The malware can take advantage of this to install Trojan horse malware into otherwise authentic programs.
The app uses the same ID used by Google Wallet – the search firm’s mobile payment software is usually the only app allowed to communicate with the secure hardware used to make credit card transactions via a phone’s tap-to-pay NFC (near field communication) chip. By exploiting this, the malware can obtain financial and payment data that would otherwise be protected.
The app impersonates 3LM software – many manufacturers add their own skins to Android to customise their devices’ user interfaces and functions. In the past, HTC, Sony, Sharp, Motorola and others did this by using extensions created by a now defunct business called 3LM. By masquerading as 3LM’s software, malware could take full control of the relevant devices and both uninstall their existing software as well as adding spyware, viruses and other damaging content of its own.
BlueBox made headlines last July when it revealed the Master Key bug – a coding loophole that could allow hackers to take control of Android devices. Cybercriminals were later spotted using the technique to target users in China.
Mr Forristal said he believed that the Fake ID flaw had the potential to be a bigger problem. “Master Key did allow a whole device to be taken over… but the user had to be duped into a couple of decisions before the malware would be able to achieve its goal,” he explained. “Fake ID unfortunately occurs in a manner that is hidden to the user – there’s no prompts, no notifications, no need for special permissions. The user can actually be told the app doesn’t want any special permissions at all, which most people would think makes it relatively safe. But once Fake ID is installed it’s ‘game over’ instantly.”
Dr Steven Murdoch, a security expert at the University of Cambridge’s computer laboratory agreed this was a serious flaw. But he added that most device owners should still be able to avoid being affected.
“Google will be looking for people who are exploiting this vulnerability in applications being distributed through its own Google Play store,” he said. “So, if that’s the only place that you get apps from, you are in a relatively good position. But if you download applications from other sources you will be putting yourself at risk.”
A spokeswoman from Google confirmed that the company had scanned all the applications in its own store as well as some of those elsewhere. “We have seen no evidence of attempted exploitation of this vulnerability,” she added.
BlueBox is releasing an Android app of its own that will check whether the host device has been patched.