News

Android’s “Fake ID” Issue Could Allow Hackers to Steal Data from Millions of Devices

A security company by the name of Bluebox Security has been throwing warning out there in regards to a major flaw in Android operating systems that would potentially allow hackers to steal sensitive information from millions of devices without the user noticing it.

The company stated that the most affected users would be the ones owning an old Android handset that stopped receiving software updates. However, Android users should note that not all Android users are affected by the flaw at hand.

The “Fake ID” vulnerability, as Bluebox describes it, consists of the way the Android operating system processes the digital signature identities attached to apps from various vendors. The OS is said to be configured to automatically accept Adobe apps for example, or other vendors including the device management outfit 3LM. In addition, some apps bearing the latter vendor signatures can automatically plug into other apps in ways other apps cannot.

What is more worrying is that since Android 2.1, the Android package installer is said not to have properly checked the identity certificates, therefore apps claiming to come from trusted vendors could eventually end up being from another ‘vendor’.

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains… both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.” a Bluebox expert stated.

This way, hackers could have easily impersonate a 3LM signature and allow malware to take control of many devices, functions and apps, including Google Wallet features. Bluebox is stated to have notified Google of the security breach back in April.

However, up until now, Motorola is stated to have rolled out a patch for some of its devices. The experts say that there is no recorded breach of security using the above technique. Even so, a good practice is to only allow app installations from trusted sources and be weary of schemes that try to install specific ‘dodgy’ applications.

Thank you Gigaom for providing us with this information
Image courtesy of Gigaom

Gabriel Roşu

Disqus Comments Loading...

Recent Posts

Electronic Arts Titles Played for Over 11 Billion Hours in 2024

Electronic Arts (EA) announced today that its games were played for over 11 billion hours…

2 days ago

Just 15% of Steam Gaming Time in 2024 Was Spent on New Releases

Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…

2 days ago

STALKER 2 Gets Massive 110GB Patch With 1800+ Fixes

GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…

2 days ago

Intel Unveils Core 200H Processors Based on the Previous Raptor Lake Refresh

Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…

3 days ago

Ubisoft Reportedly Developing a New Quadruple A Game

Ubisoft is not having the best of times, but despite recent flops, the company still…

3 days ago

STALKER 2: Heart of Chornobyl Update 1.1 Fixes 1,800 Issues and Revamps A-Life 2.0

If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…

3 days ago