updated 09:10 am EDT, Tue July 29, 2014
App masquerading as Flash, others, can break Android sandboxing
Mobile device researchers Bluebox Security have discovered a serious flaw in Google's Android operating system that dates back to version 2.1, and is still present (albeit weakened) in the new 5.0 preview. The "Fake ID" security flaw allows a fake app to include an invalid security certificate, claiming that it is an app with sandbox-breaking privileges, in essence, giving the malicious app root access to the phone and all its contents.
"All it really takes is for an end user to choose to install this fake app, and it's pretty much game over," Bluebox Security CTO Jeff Forristal told Ars Technica. "The Trojan horse payload will immediately escape the sandbox and start doing whatever evil things it feels like, for instance, stealing personal data."
The flaw comes with how Android handles security certificates. Apps that are properly credentialed are "sandboxed," or run isolated from other parts of Android, preventing an app from wreaking havoc across the device. A few apps, such as Adobe Flash, Google Wallet, and other device-management apps have special privileges, which allows the app to function across the sandbox. Android looks at the security certificates, but does not verify that the certificate is being used with app that it "belongs" to.
Android 4.4 has introduced some changes, limiting some of the priveleges that Flash has but not necessarily other plugins, like device-management applications. Google claims that after it recieved notification of the flaw a few months ago, it "quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue."
Google also claims that it has scanned all applications submitted to Google Play for the issue, and has "seen no evidence of attempted exploitation of this vulnerability," but omits any mention of changing Android to eliminate the problem entirely, particularly in any older version. Electronista has reached out to Google, Samsung, and other companies to see if the patch has been distributed to end-users by any company -- Google itself is only responsible for patches to its own devices, and vendors and wireless carriers handle the rest. It is unknown if the exploit can penetrate Samsung's Knox enterprise security suite, which is at the core of Google's new security enhancements in Android L.
"With this vulnerability, malware has a way to abuse any one of these hardcoded identities that Android implicitly trusts," said Forristal. "So malware can use the fake Adobe ID and become a plugin to other apps." More details of the flaw will be disclosed at next week's Black Hat security exposition.