Android security issues keep cropping up, however, this time a serious vulnerability could potentially lead to completely compromising devices running versions of the mobile operating system lower than 4.4.
The flaw allows malicious apps to impersonate trusted ones behind the user’s back, and benefit from the same access permissions as the legitimate software. This presents the risk of attackers learning financial information and even taking control of the device.
The vulnerability is in Android OS and affects all versions not patched against Google bug 13678484, disclosed to the company in April 2014, said researchers at Bluebox Security.
“Anything that relies on verified signature chains of an Android application is undermined by this vulnerability,” the researchers said.
All apps installed on the operating system end up signed with a digital certificate, which does not necessarily have to come from a digital certificate authority (CA). Some apps benefit from certificates hard-coded in the system that allow them special privileges on the system.
Certificate chains end up created in order to give multiple apps the possibility to perform certain actions; their permissions end up gated, though, so they do not have the same liberty on the system as given by the parent signature.
“For example, an application bearing the signature (i.e. the digital certificate identity) of Adobe Systems is allowed to act as a webview plugin of all other applications, presumably to support the Adobe Flash plugin,” said Jeff Forristal, CTO at Bluebox Security in a blog post.
However, the vulnerability discovered by the security company consists of the fact Android package installer does not verify the authenticity of a certificate chain.
Basically, a signature claiming to come from a higher authority does not end up checked, allowing an attacker to create a certificate and forge a claim the signature came from a trusted developer, such as Adobe Systems.
Then, they can “sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate.”
Since the Android packager does not make any checks, it creates a package signature with both certificates, allowing the malicious app the same privileges as the ones given by the hard-coded digital certificate.
“The problem is further compounded by the fact that multiple signers can sign an Android application (as long as each signer signs all the same application pieces). This allows a hacker to create a single malicious application that carries multiple fake identities at once,” Forristal said.