Are Android hackers using fake IDs to get into mobiles?

Security

by Jimmy Nicholls| 30 July 2014

Bluebox says phones from last four years vulnerable.

Android applications are vulnerable to being impersonated by malware using fake software ID, according to mobile security firm Bluebox.

A patch for the bug was released by Google in April of this year, but unpatched Android systems from 2.1 to 4.4 are still said to be vulnerable.

Jeff Forristal, CTO at Bluebox, said: "Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability."

Signatures on Android work in a similar fashion to SSL (secure sockets layer) certificates used to encrypt information on the internet, and work through a PKI (public key infrastructure) identity certificate.

According to Bluebox, Android does not attempt to check the authenticity of a certificate chain by comparing a child certificate to the public certificate of the issuer, meaning hackers can bypass sandbox security that would otherwise detect malicious code.

"The problem is further compounded by the fact that multiple signers can sign an Android application, as long as each signer signs all the same application pieces," Forristal added.

"This allows a hacker to create a single malicious application that carries multiple fake identities at once."

Update

A Google spokesman said: "We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users.

"At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.
Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.