Researchers have discovered a new threat within Google's Android operating system, which puts malware into Android applications that masquerades as trusted apps, thus letting cyber-criminals completely take control of a host system.
The latest Android bug has been labelled 'Fake ID' by US based mobile data security firm Bluebox Labs whose researchers are credited with detecting the security hole.
According to engineers at Bluebox Labs, 'Fake ID' is designed by hackers to allow malicious applications to impersonate specially recognised trusted applications. An important aspect here is that Android users are not notified about the whole 'trusted app impersonation' process, by the inbuilt security mechanism in Android devices.
By masquerading as trusted apps, the malicious code inserted by 'Fake ID' into other applications, bypasses security mechanisms as a result of which confidential/sensitive user data is at risk of falling into the hands of cyber-criminals.
Fundamentally, 'Fake ID' aids various malware programs in defying the 'Application Sandbox' mechanism which is one of the core security features in Android.
This process results in the injection of malware, which could open a backdoor to other types of threat such as Trojan horses that are normally designed to invade personal data of users, and pass these on to hackers.
Trojan horses invading an Android smartphone could also gain access to payment details of users by masquerading as Google Wallet.
"The vulnerability can take full management control of the entire device by impersonating 3LM", states a Bluebox security engineer, in an official blog post.
Exploitation of Android certificates
Fake ID, apart from allowing malware programs to bypass Android security sandboxing, also exploits Android's identity certificate verification mechanism.
Typically, the Identity Certificate verification mechanism authenticates the validity of a particular certificate and its issuer (source of the certificate).
"The use of identity certificates to sign and verify data is commonplace on the Internet, particularly for HTTPS/SSL use in web browsers. As part of the PKI standard, an identity certificate can have a relationship with another identity certificate: a parent certificate ("issuer") can be used to verify the child certificate," adds the official blog post of Bluebox.
'Fake ID' infested Android devices make no attempt to verify the issuer of an identity certificate, which results in certificates passing off as 'genuine'.
A typical scenario here would be hackers creating digital certificates, and forging these as having been issued by a reputed player (such as Adobe). After forging digital certificates, criminals can sign an application with a certificate chain that contains a malicious identity certificate.
After installation of the application, the default Android installer does not verify the claim of hackers (creating rogue identity certificates), and the app gets installed with forged identity certificates.
"The problem is further compounded by the fact that multiple signers can sign an Android application. This allows a hacker to create a single malicious application that carries multiple fake identities at once," adds the blog post.
Combating 'Fake ID' security hole
Engineers at Bluebox have claimed that the 'Fake ID' vulnerability dates back to 2010 when Google came out with its Android 2.1 mobile OS. This means that all devices running Android 2.1 and above could potentially be targeted by the 'Fake ID' scam.
However, Google has seemingly come with security fixes, to combat 'Fake ID'.
"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project," the internet giant told Daily Mail UK.
Also, Google has stated that no applications within its Play repository have been potentially affected by 'Fake ID'. Google also reportedly resorted to doing a scan of its entire app repository.
Bluebox has a standalone 'Bluebox Security Scanner' that users can install and check whether their Android devices are exposed to 'Fake ID'.