Terrifying Android Vulnerability That Could Let Hackers Completely Take Over Your Phone
Researchers from Bluebox Labs
have discovered a terrifying Android vulnerability that lets malware take
over your apps, steal their data, and essentially take full control of your
phone, including the financial information you've saved in your Google Wallet.
Here's the basic idea: Every Android
app has its own unique identity, and this particular vulnerability allows
malware to copy that identity, so that it can impersonate your applications
without you knowing. Bluebox researchers aptly nicknamed the vulnerability
"Fake ID."
Worse, it affects almost all Android
phones. Bluebox says the vulnerability dates back to the January 2010 release
of Android 2.1 and affects all devices that are not patched for "Google
bug 13678484," which was disclosed to Google and released for patching in
April.
The root of this vulnerability lies
inwhat's called a "certificate chain," in which encrypted
certificates that verify the identities of Android apps can trust each other to
communicate and share data. The vulnerability, however, makes it impossible to
verify the authenticity of the certificate chain.
Bluebox outlined some of the
implications of this exploit:
An attacker can create a new digital
identity certificate, forge a claim that the identity certificate was issued by
Adobe Systems, and sign an application with a certificate chain that contains a
malicious identity certificate and the Adobe Systems certificate. Upon
installation, the Android package installer will not verify the claim of the
malicious identity certificate, and create a package signature that contains
the both certificates. This, in turn, tricks the certificate-checking code in
the webview plugin manager (who explicitly checks the chain for the Adobe
certificate) and allows the application to be granted the special webview plugin
privilege given to Adobe Systems - leading to a sandbox escape and insertion of
malicious code, in the form of a webview plugin, into other applications.
Bluebox Labs researcher Jeff
Forristal said he will offer more technical details of the exploit, including
how it was found, and how it works, during his talk at the Black Hat USA
conference in Las Vegas, which begins Aug. 2.
If you use Android 4.4 (known as
KitKat) or you recieved Google's April patch before your phone was attacked,
you're safe.
Bluebox released a free
security scanner that will let you know if your phone has been affected.
No comments:
Post a Comment