In June I mentioned that the Heartbleed bug affects smartphones and tablets that use Android Jellybean 4.1.1 as their operating system. It has now come to light that a new Android flaw has been discovered by security company Bluebox Labs and they have called it Fake ID. Fake ID allows malicious apps to take extensive control of a user’s device without asking for any special permission’s when it is being installed.
Who is affected?
3 Months ago Bluebox Labs informed Google about Fake ID and it was fixed when the latest update of Android, KitKat 4.4 was released. Whilst an update has been released with a fix not everyone will get this as Google’s own figures show that 82.1% of Android users are running an older version which won’t be fixed. Updates are released to the phone manufacturers who then modify it to fit their version of Android. The Phone manufacturers then release it to the carriers who do further tests before they release it to their customers.
Google in its wisdom also decided it wasn’t going to offer a KitKat update to buyers of its Galaxy Nexus, even though the phone is less than two years old. Android Open Source Project forks like Amazon’s Fire OS and various packages used in China are also affected.
What Fake ID does
Fake ID allows malware apps to pass fraudulent credentials to Android, and then fails to properly verify the app’s cryptographic signature. Instead, Android grants the malware app all of the access permissions of whatever legitimate app the malware is impersonating. As Google has granted various trusted apps open access, if one of these legitimate apps is mimicked it is given the keys to the sweet shop. The sweet shop in this case is full control of the device resulting in the user’s financial data, contacts and other private information, even data stored in the cloud being compromised.
What Apps can be mimicked?
Some of the apps that malware apps pretend to be include Facebook, Flash, Google Wallet & Twitter. Google Wallet and Flash are the ones you should be seriously worried about.
August 16th 2012 was when Google stopped supporting Flash for its Android Operating System. Flash was found to have a lot of security issues and it also drained your battery. When Google stopped Flash support, they did not fix a major flaw which resulted in Flash plugin privilege escalation remaining embedded in Android’s webview. Android’s webview is the browser component that gets embedded into third party apps that present web content.
As Flash is so deeply tied into Android’s webview component, any malware app using Fake ID to mimic Flash can subsequently escape Android’s app sandbox and take control of other apps, take data from those apps, sniff out all those apps’ network traffic and also get any additional privileges held by those apps. Google finally removed the Android webview Flash flaw from KitKat 4.4 last year, but if you don’t have Android KitKat 4.4 then the flaw will remain in place.
Google also built into Android support for its own Google Wallet, which is tied to NFC payment data. Using Fake ID, a malware app pretends to be the Google Wallet app. Android will then provide the fake app with all the permissions it gave its own NFC infrastructure, which worryingly includes all the users’ financial data.
Where do users find these Malware apps?
Google to their credit have beefed up security in their Google Play Store and most malware is caught before it’s released. The Amazon App Store and other app stores mainly based in China are more lax with verifying apps resulting in more dodgy apps being available and downloaded. If an app is pulled from the Google Play Store users will look for it elsewhere and malware developers know this and sense an opportunity.
What can users do to prevent Malware apps getting on their devices?
Since the majority of Android devices do not have KitKat 4.4 on them, then you will have to be wary of apps downloaded from other App stores. Check reviews of apps that you are looking at and also do some research on the apps developer. These malware app developers will do whatever they can to make their apps more enticing, so if an app is too good to be true then it obviously is. If an app has been pulled from the Google Play Store, there has to be a very good reason for this, and if this app is available in other app stores then alarm bells should start ringing. Also if a well-known app such as Flash is no longer available on the Google Play store and you notice its available elsewhere, ask yourself why?
If you decide to install a non-carrier or manufacturer supported version of Android on your device, make sure it has no back doors or malware built into it. What versions do well known Android experts and tech bloggers and journalists recommend and use? If it’s good enough for them, then it’s good enough for you.
There will always be bugs and flaws appearing on mobile devices and it won’t always be on Android devices. Next time it could on Apple or Windows devices. By making sure that you only download and install apps that are genuine then you should be fine. Nothing is 100% safe which is why I stated that you should be fine. Looking after your device means protecting it and if you protect the outside of it with a case, shouldn’t you also protect the inside of it too.