Android crypto blunder exposes users to highly privileged malware

  • 29 July 2014
  • 2 replies
  • 640 views

Userlevel 7
Badge +54

"Fake ID" exploits work because Android doesn't properly inspect certificates.

by Dan Goodin - July 29 2014
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
A slide from next week's Black Hat talk titled Android Fake ID vulnerability.
 
The majority of devices running Google's Android operating system are susceptible to hacks that allow malicious apps to bypass a key security sandbox so they can steal user credentials, read e-mail, and access payment histories and other sensitive data, researchers have warned.
The high-impact vulnerability has existed in Android since the release of version 2.1 in early 2010, researchers from Bluebox Security said. They dubbed the bug Fake ID because like a fraudulent driver's license an underage person might use to sneak into a bar, it grants malicious apps special access to Android resources that are typically off limits. Google developers have introduced changes that limit some of the damage that malicious apps can do in Android 4.4, but the underlying bug remains unpatched, even in the 5.0 preview.
 
Full Article

2 replies

Userlevel 7
Badge +62
Well Hello Jasper! This is very disturbing news but I'm thinking I'd be protected by WSAC on my Android 4.4.
Userlevel 7
By Leo Kelion
 
http://news.bbcimg.co.uk/media/images/76596000.jpg/_76596407_76592059.jpg
 
 
An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user's credit card data and take control of the device's settings.
 
BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.
The company added it had alerted Google to the problem in advance to allow it to mend its operating system.
 
Google confirmed it had created a fix.
 
"We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users," said a spokeswoman.
"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project."
 
However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 and have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.
 
Full Article.
 
 

Reply