Researchers from Bluebox Labs have discovered a terrifying Android vulnerability that lets malware take over your apps, steal their data, and essentially take full control of your phone, including the financial information you’ve saved in your Google Wallet.
Here’s the basic idea: Every Android app has a unique identity, and this particular vulnerability allows malware to copy that identity so that it can impersonate your applications without your knowing. Bluebox researchers aptly nicknamed the vulnerability “Fake ID.”
Worse, it affects almost all Android phones. Bluebox says the vulnerability dates back to the January 2010 release of Android 2.1 and affects all devices that are not patched for “Google bug 13678484,” which was disclosed to Google and released for patching in April.
The root of this vulnerability lies in what’s called a “certificate chain,” in which encrypted certificates that verify the identities of Android apps can trust each other to communicate and share data. The vulnerability, however, makes it impossible to verify the authenticity of the certificate chain.
Bluebox outlined some of the implications of this exploit:
An attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems — leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.
Bluebox Labs researcher Jeff Forristal said he would offer more technical details of the exploit, including how it was found and how it works, during his talk at the Black Hat USA conference in Las Vegas, which begins Aug. 2.
If you use Android 4.4 (known as KitKat) or you recieved Google’s April patch before your phone was attacked, you’re safe.
Bluebox released a free security scanner that will let you know if your phone has been affected.