return icon

Android Fake ID bug exposes smartphones and tablets

An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user's credit card data and take control of the device's settings.

An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user's credit card data and take control of the device's settings.



BlueBox Labs says that Android was not doing full enough checks on the IDs used to grant apps special privileges


BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.

The company added it had alerted Google to the problem in advance to allow it to mend its operating system.

Google confirmed it had created a fix.

"We appreciate BlueBox responsibly reporting this vulnerability to us. Third-party research is one of the ways Android is made stronger for users," said a spokeswoman.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to the Android Open Source Project."

However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.

Forged signatures

BlueBox has dubbed the vulnerability Fake ID, because it exploits a problem with the way Android handles the digital IDs - known as certification signatures - used to verify that certain apps are what they appear to be.

The issue is that while Android checks an app has the right ID before granting it special privileges, it fails to double-check that the certification signature involved was properly issued and not forged.

Jeff Forristal, chief technology officer of BlueBox, likened the issue to a tradesman arriving at a building, presenting his ID to a security guard and being given special access to its infrastructure without a phone call being made to the tradesman's employer to check he is really on its books.

"That missing link of confirmation is really where this problem stems," he told the BBC.

"The fundamental problem is simply that Android doesn't verify any claims regarding if one identity is related to another identity."

To make matters worse, he added, a single app can carry several fake identities at once, allowing it to carry out multiple attacks.


BlueBox warns that old unpatched versions of Android remain vulnerable



Mr Forristal gave three examples of how a faked certification signature might be used to cause harm:

•    The app pretends to be created by Adobe Systems - Adobe is granted the privilege of being able to add code to other apps in order to support their use of its Flash media-player plug-in. The malware can take advantage of this to install Trojan horse malware into otherwise authentic programs

•    The app uses the same ID used by Google Wallet - the search firm's mobile payment software is usually the only app allowed to communicate with the secure hardware used to make credit card transactions via a phone's tap-to-pay NFC (near field communication) chip. By exploiting this, the malware can obtain financial and payment data that would otherwise be protected

•    The app impersonates 3LM software - many manufacturers add their own skins to Android to customise their devices' user interfaces and functions. In the past, HTC, Sony, Sharp, Motorola and others did this by using extensions created by a now defunct business called 3LM. By masquerading as 3LM's software, malware could take full control of the relevant devices and both uninstall their existing software as well as adding spyware, viruses and other damaging content of its own

BlueBox made headlines last July when it revealed the Master Key bug - a coding loophole that could allow hackers to take control of Android devices. Cybercriminals were later spotted using the technique to target users in China.

Mr Forristal said he believed that the Fake ID flaw had the potential to be a bigger problem.

"Master Key did allow a whole device to be taken over... but the user had to be duped into a couple of decisions before the malware would be able to achieve its goal," he explained.

"Fake ID unfortunately occurs in a manner that is hidden to the user - there's no prompts, no notifications, no need for special permissions.

"The user can actually be told the app doesn't want any special permissions at all, which most people would think makes it relatively safe. But once Fake ID is installed it's 'game over' instantly."

Dr Steven Murdoch, a security expert at the University of Cambridge's computer laboratory agreed this was a serious flaw. But he added that most device owners should still be able to avoid being affected.

"Google will be looking for people who are exploiting this vulnerability in applications being distributed through its own Google Play store," he said.

"So, if that's the only place that you get apps from, you are in a relatively good position.

"But if you download applications from other sources you will be putting yourself at risk."

A spokeswoman from Google confirmed that the company had scanned all the applications in its own store as well as some of those elsewhere.

"We have seen no evidence of attempted exploitation of this vulnerability," she added.

BlueBox is releasing an Android app of its own that will check whether the host device has been patched.

Source: BBC


SEA Games torch carried through streets of Hanoi

Brimming with symbolism, the torch was ceremoniously lit from a small lamp that had landed on Vietnam’s soil two days prior, and had been carefully guarded at the Cambodian Embassy.

British experts discover new untouched caves in Quang Binh

Five new caves where humans have never set foot were recently discovered in Lam Hoa commune of Tuyen Hoa district in the central province of Quang Binh by experts of the British Royal Cave Association.

30 Indonesians fall victim to Malaysia human trafficking ring in Vietnam

The police in Ho Chi Minh City have busted a human trafficking ring involving Malaysian nationals that allegedly deceived 30 Indonesians for property appropriation in Vietnam.

Over 103,000 TB cases detected in Vietnam last year

Vietnam detected 103,120 tuberculosis (TB) patients in 2022, up nearly 31% year-on-year, and 1.8% against that of 2020.

Vietnam commits to cross-border water development goals: Deputy PM

Vietnam pledges to further enhance cooperation with international organisations and partners to achieve sustainable cross-border water development goals, Deputy Prime Minister Tran Hong Ha has said.

Vietnam tourism promoted in Japan

A workshop on Vietnamese tourism and carriers, co-hosted by Vietnam Airlines and travel operator Thien Minh Group (TMG), took place in Tokyo on March 24, gathering 80 travel companies and airlines from both nations.

Hanoi seeks support from UNESCO in restoration of Kinh Thien Palace

Hanoi asked for continued support from the UNESCO World Heritage Centre (WHC) for a project to restore Kinh Thien Palace in the Thang Long Imperial Citadel in Hanoi, which was recognised as a UNESCO World Heritage Site in 2010.

CAAV suggests more time for piloting biometric authentication

The Civil Aviation Authority of Vietnam (CAAV) has proposed continuing pilot application of biometric authentication (facial recognition) at airports’ check-in desks.

Netflix to set up representative legal entity in Vietnam

Netflix is carrying out procedures with the Ministry of Planning and Investment to establish its representative legal entity in Vietnam.

Vietnamese Fintech unicorn among top 10 global financial platforms

Vietnam has one representative in the Global Platforms Ranking 2023, announced by TABInsights under The Asian Banker.

Newspapers should use AI wisely

AI can help journalists recognize if they are wasting resources by creating similar press products. However, journalists should only not depend on or be controlled by artificial intelligence (AI).

Pirated games flood the market as discounts are slashed on app stores

With app stores’ decisions to reduce discounts and support from payment service providers such as credit cards and e-wallets (MoMo), pirated games of international distributors, especially Chinese games, can easily enter Vietnam.

Vietnam needs to learn lessons in developing renewable energy

Dr Le Hai Hung says renewable power plants occupy much land, but environmental concerns remain controversial, and in the next 10 years, it will not be a reliable energy source for business production and people’s daily life.

High-end real estate developers advised to develop social housing

Realtors who specialize in high-end real estate projects should think of adding social housing projects to their business strategies, because the projects ensure sustainability and stability for them.

No time to waste in building the offshore wind industry

Action on accelerating offshore wind power projects is urgently needed if the government is to meet its targets for the decade.