'Fake ID' flaw in Android leaves four out of five phones at risk

Shawn Knight

Shawn Knight

Posts: 15,291   +192
Staff member

fake flaw android leaves millions phones vulnerable google android malware vulnerability bluebox labs fake id

Security researchers at Bluebox Labs have uncovered a design flaw in Android that could allow malware to take over a device.

Dubbed "Fake ID" by Bluebox, the flaw is related to how app security is handled. In Android, each app is given its own unique cryptographic signature that determines who can update it and what privileges it has. As The Guardian explains, there are parent certificates and child certificates, both of which are checked against on another during installation to ensure they match and the app is trusted.

The problem is that Android doesn't carry out enough security checks so it doesn't know if the certificate was properly issued or if it was forged.

Bluebox CTO Jeff Forristal likened it to a tradesman arriving at a building. The worker presents an ID to a security guard and is allowed to enter as the ID appears legit. The security guard never validates the ID by calling his employer to make sure he works there.

Using the flaw, a malicious actor can have their malware validated by impersonating another app that has special privileges. Forristal cited Adobe Flash and Google Wallet as examples of apps that have high-level access within Android.

The flaw has existed in Android since version 2.1 was released way back in 2010. The good news is that it was removed from Google's mobile operating system last fall with Android 4.4 KitKat but as of earlier this month, less than 18 percent of all Android users are running the latest version. That means roughly 82 percent of all Android users are at risk. 

Permalink to story.

https://www.techspot.com/news/57561-fake-id-flaw-in-android-leaves-four-out-of-five-phones-at-risk.html

 
Google really needs to solve the problem on getting updated versions of Android to users. It really isn't a tough problem.
 
Still seems low risk to me because you would still have to download and approve the permissions for the app. Even if it is faking it's approved thing to get onto the playstore you still need to take two stupid actions - 1) download it and 2) grant it permissions. This is more akin to the guard letting the person through after seeing their ID and asking them what they are there for and they say "to steal your info". If you give an app permissions to read your phone book, access wifi, access data, modify SD card, use carmera, use GPS, etc etc etc then you're not looking out for your best interests.
 
Nima304 said:
Google really needs to solve the problem on getting updated versions of Android to users. It really isn't a tough problem.
Click to expand...

Google pushes out updates very often (almost monthly, sometimes more often for big bugs). However, they do not manage the phones. That is up to the vendors and wireless providers which have to go through all sorts of tests on their custom apps and hardware. This is the same for large companies with Windows updates, etc.

If you want the lastest, you can have it by loading custom ROMs, but you risk losing some features that vendors have installed (like most of the gimmicky crap Samsung puts in).
 
  • Like
Reactions: Darth Shiv
insect said:
Google pushes out updates very often (almost monthly, sometimes more often for big bugs). However, they do not manage the phones. That is up to the vendors and wireless providers which have to go through all sorts of tests on their custom apps and hardware. This is the same for large companies with Windows updates, etc.

If you want the lastest, you can have it by loading custom ROMs, but you risk losing some features that vendors have installed (like most of the gimmicky crap Samsung puts in).
Click to expand...
lipe123 said:
It's not Google its samsung, lg, etc etc that wont take the updates google release and roll it out to their phones.
Click to expand...
Guest said:
@ Nima304
It really is.
Click to expand...
Are you guys familiar with the Windows operating system? How many different configurations of hardware does that OS run on, do you think? How many different vendors produce hardware, install that software, and sell the resulting package as a whole to consumers? Does Microsoft have any trouble sending updates to those who have Windows installed? No, because the way OEMs add custom software to that system is entirely different.

As opposed to making an entirely custom OS for their phones, carriers should simply make minimal changes to the UI and install their **** bloatware no one uses as a package on the operating system, which would make it easy to pass Android updates to all of their phones, given that the software hasn't been changed much from stock. You see this all the time in Linux administration; someone recently discovers Linux, and decides they want to change everything about their system because they can. They love the result, it runs immensely well for a couple of months or years, and then, when it's time to update, they realize they can't and have to completely rebuild the system to accept updates or start over from an updated base. It's immature, stupid, and bad for the consumer when carriers take this kind of approach simply because they can, and there's no excuse for it.
 
  • Like
Reactions: Timonius and Darth Shiv
@Nima304 Yes you are right. Google got their update release model wrong. They left it to the phone manufacturers to push the updates out.

I can imagine it would place a lot of restrictions on the end clients if you were to manage it at the higher level of OS provider (google) rather than phone manufacturer. It's the classic problem Apple has with rolling iOS updates to older models of phones.

The question is what should the strategy really be?

I'm thinking Google should push updates to all phones but the updates are, as suggested, MS style in that you get security updates for older OS's and there is some mechanism to migrate a phone to a higher major version. Maybe a whitelist of phone models that Google sets at request of phone manufacturers or alternatively a user option?

In any case, older Android versions currently are not being patched and this is a really bad thing for the ecosystem.
 
Nima304 said:
Are you guys familiar with the Windows operating system? How many different configurations of hardware does that OS run on, do you think? How many different vendors produce hardware, install that software, and sell the resulting package as a whole to consumers? Does Microsoft have any trouble sending updates to those who have Windows installed? No, because the way OEMs add custom software to that system is entirely different.

As opposed to making an entirely custom OS for their phones, carriers should simply make minimal changes to the UI and install their **** bloatware no one uses as a package on the operating system, which would make it easy to pass Android updates to all of their phones, given that the software hasn't been changed much from stock. You see this all the time in Linux administration; someone recently discovers Linux, and decides they want to change everything about their system because they can. They love the result, it runs immensely well for a couple of months or years, and then, when it's time to update, they realize they can't and have to completely rebuild the system to accept updates or start over from an updated base. It's immature, stupid, and bad for the consumer when carriers take this kind of approach simply because they can, and there's no excuse for it.
Click to expand...

Can't speak for the other companies but Samsung devices try and make a name for themselves with the Touchwiz ui thats not the same as the stock google offerings etc.
Also that bloatware you talk about is how these companies get a lot of revenue.

The fact is Google would probably like to roll out updates directly but the manufacturers of the devices don't want it like that. They are the ones with the money invested in a product and don't want to leave the OS of that product in someone else's hands.

Also the real responsibility lies with the user, cyanogenmod has a super easy installer available now that will root and re flash your phone with a brand new android 4.4 release without any technical knowledge.
 
You must log in or register to reply here.

Similar threads

D
Google fixes critical Android flaw that could be exploited to hack your phone remotely
Replies
6
Views
288
envirovore
envirovore
Daniel Sims
Windows 11 Android support ends next March
Replies
5
Views
169
trents
T
A
Android 15 might come with an improved desktop mode
Replies
5
Views
125
NumberNine
NumberNine

Latest posts

Back