14 DAY TRIAL // A serious vulnerability has been discovered in Android that could potentially lead to completely compromising devices running versions of the mobile operating system lower than 4.4 (KitKat).
The flaw allows malicious apps to impersonate trusted ones behind the user’s back, and benefit from the same access permissions as the legitimate software. This presents the risk of attackers to reach financial information and even take full control of the Android device.
Researchers at Bluebox Security say that the vulnerability is embedded in Android OS and affects all versions that are not patched against Google bug 13678484, which was disclosed to the company in April 2014.
They said that “anything that relies on verified signature chains of an Android application is undermined by this vulnerability.”
All apps installed on the operating system are signed with a digital certificate, which does not necessarily have to be issued by a digital certificate authority (CA). Some apps benefit from certificates hard-coded in the system that allow them special privileges on the system.
Certificate chains can be created in order to give multiple apps the possibility to perform certain actions; their permissions are gated, though, so that they do not enjoy the same liberty on the system as given by the parent signature.
“For example, an application bearing the signature (i.e. the digital certificate identity) of Adobe Systems is allowed to act as a webview plugin of all other applications, presumably to support the Adobe Flash plugin,” explains in a blog post Jeff Forristal, CTO at Bluebox Security.
However, the vulnerability discovered by the security company consists in the fact that Android package installer does not verify the authenticity of a certificate chain.
Basically, a signature claiming to be issued by a higher authority is not checked, allowing an attacker to create a certificate and forge a claim that the signature was issued by a trusted developer, such as Adobe Systems.
Then, they can “sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate.”
Since the Android packager does not make any checks, it creates a package signature with both certificates, allowing the malicious app the same privileges as the ones given by the hard-coded digital certificate.
“The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once,” writes Forristal.
Technical details of the vulnerability, dubbed FakeID by Bluebox Security, along with the tools used for compromising Android devices are to be presented at the Black Hat USA in August.