Millions of Android-devices present a critical vulnerability that allows malware discovered posing as a trusted application. The attacker is able to perform any actions, including introducing malicious code into legitimate applications and even gain full control over the infected device.
According Threatpost, vulnerability, called Fake ID, is a consequence of the imperfection of the verifier certificates and relevant for all versions of Android, starting with 2.1 to 4.4.According to experts Bluebox Security, discovered this gap, the risk of loss of control due to operation is particularly high for those users who have installed the extension administration of 3LM, including the owners of HTC, Pantech, Sharp, Sony Ericsson and Motorola.
Android-application shall be signed digital certificate that represents the developer.Researchers from Bluebox Security found that regular Android installer does not check the authenticity of the certificates, which signed a specific application.
"The attacker, for example, can create a new digital certificate, specify the publisher Adobe Systems and sign the application to include a chain forged certificate and Adobe Systems», - experts explain. - When installing the ARC-file installer does not check the authenticity of the publisher and creates a signature containing both certificates. This, in turn, is misleading certificate validation mechanism manager WebView-plugins (which will not fail to verify the certificate chain for Adobe) and allows the application to get special privileges. Result - bypass the sandbox and the introduction of malicious code disguised as WebView-plug it into another application. "
During the interview, CTO Bluebox Jeff Forristal said that exploit this vulnerability can be in different ways. A company representative estimates it as very dangerous and has prepared a special presentation that will present next week in Las Vegas at the conference Black Hat.
"Distribute programs using fake ID can be in any way, whether it is a link in an SMS or a legitimate app store - said Forristal. - Take a look at other malicious software for Android.Only need to do so that the user said, "Oh yes, I want this prog." A gap is indeed serious.Absolute secrecy and at the same time transparency for the user - that still need to malware?Works like a clock, so that would be apparently very popular loophole for malware. "
Another attractive target when using this vulnerability is wallet Google. An attacker could create an application signed by the client Google Wallet, which opens access to NFC-chip. It contains the information required to make payments using a protocol NFC - near field communications, short-range communication, which uses not only the Google Wallet, but also a number of other payment applications.
According Forristala, Bluebox Google had help in solving problems. The patch was released back in April, but the spread of updates depends on the manufacturer.