Earlier this morning, the mobile security company Bluebox Security reported a serious hole in Android that affects almost all versions of the operating system dating back to 2.1
The malware designed to take advantage of the corrupt code in question was able to exploit the permissions of a phone or tablet, and trick them into trusting the maliciously injected program as though it were another app which had already received administrative privileges.
It achieves this by manipulating the public key infrastructure certificate, or PKI, which essentially acts as the unique cryptographic identifier for every application that is published by a respected and vetted developer.
Bluebox elaborated on the specifics of this process on their blog, which can be read in full here:
“As part of the PKI standard, an identity certificate can have a relationship with another identity certificate: a parent certificate (‘issuer’) can be used to verify the child certificate. On an Android system, the digital certificate(s) used to sign an Android application become the application’s literal package “signature”, which is accessible to other applications via normal application meta-data APIs [application programming interfaces].”
Normally this function operates on a two way street with a checkpoint installed at each end. When the program asks for permissions, the phone asks for its key. No key, no permissions, right?
Well, that’s where Fake ID came in. Fake ID is especially dangerous because unlike other malware which in general would serve a single, insular purpose, Fake ID hands over the certificate keys to the kingdom for any hackers who might want to install their influence on someone’s phone without paying for their pass for admittance. By forging the keys that give normal apps the ability to do things like read contacts, send emails, or post to Facebook, any malware on the market would be given unfettered access to the core of a person’s mobile device, essentially wiping out any and all protection measures that the Android security team has spent millions to develop and maintain.
Thankfully, Google was lightning quick in its response to the problem, pouncing on the issue with the full might of their security team and pushing out a patch within mere hours of its announcement around 7am EST this morning.
“We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users. After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP [Android Open Source Project]. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability.”
No one can say for sure whether or not the issue will continue to be a headache for the mobile developer, but for now it seems they have deftly avoided disaster through a timely, coordinated response that should make us all feel a little safer when we lock down our phones for the night.