BlueBox Security has discovered a serious design flaw in Android phones, which essentially allows hackers to use malicious apps to hijack the phones as well as some Samsung tablets. The design flaw has been designated “Fake ID” because it impersonates trusted legitimate apps, which may have extensive permissions. By posing as a legitimate app, Fake ID is then able to monitor and modify the phone including having the ability to access contacts, images, read emails, access financial data including payments, cloud storage and other private data. BlueBox alerted Google to this design flaw three months ago but consumers may just be learning about this significant security risk today.
Essentially the design flaw lies with Adobe Flash. Although Google stopped using Flash for Android, there is a privilege plugin that remains in the webview browser component of the system. This plugin is embedded into third-party apps, the malicious variety of which can then impersonate Flash and take data from other apps, which includes permissions and ID verifications.
According to Jeff Forristal, the chief technology officer for BlueBox Security, the design flaw allows malicious apps to create fake identification cards within the phone. Forristal sums up the issue as the Android “failing to verify” certificates that are used to certify apps, especially with “super privileged programs.” This allows malicious apps to create fake certificates claiming to be, for example, the Wallet app. Based upon the fake certificate the operating system of the Android will then give that app legitimate permissions without ever verifying the certificate.
The Android security flaw, which has provided hackers the ability to hijack phones and tablets, affects 2.1 models released from 2010 up until the latest Android 4.4 KitKat version, which has a patch for the security breach. However, there is no clear indication that this patch, which ostensibly removed the webview Flash flaw, addresses the design flaw in full, rather it may just limit the scope of it. In addition, by some accounts only a minor percentage of consumers have installed the new KitKat version containing the patch thus they are still vulnerable to being hacked.
Google has issued a statement thanking BlueBox Security for its discovery of the Android security flaw and indicated that research on third-party apps is “one of the ways Android is made stronger for users.” Further, Google points to their swift response to the threat in the form of “a patch that was distributed to Android partners, as well as to AOSP.” According to Google, both Google Play and Verify Apps have been buffed in order to increase protections for users and based upon an internal review of their apps, they have no evidence of any “attempted exploitation” of the Android security flaw.
Despite Google’s assurances that client information has not been exploited or compromised, the security design flaw in the Android may still represent a significant threat to Android consumers who have phones that predate the 4.4 KitKat version. For those with the older phones, or even those with the most current version who have not yet updated to apply the patch, the Android security flaw could be a boon to hackers seeking to hijack sensitive data.
By Alana Marie Burke