One of the best things about mobile operating systems is sandboxing. This technique compartmentalizes applications, preventing risky apps (or any app) from having free rein over your Android. But a new vulnerability might mean that Android's sandbox isn't as strong as we thought.
What is It?
At Black Hat, Jeff Forristal demonstrated how a flaw in how Android handles certificates could be used to escape the sandbox. It could even be used give malicious apps higher privilege levels, all without giving victims a clue as to what's going on in their phone. Forristal said that this vulnerability could be used to steal data, passwords, and even take full control of multiple apps.
At the core of issue is certificates, which are basically little cryptographic documents that are meant to ensure that an app is what what it claims to be. Forristal explained that it's the exact same technology used by websites to ensure authenticity. But Android, it turns out, does not examine the cryptographic relationships between certificates. This flaw, said Forristal, is "pretty fundamental to the Android security system."
What it Does
Theme Tickets World Park Walt Orlando Disney Florida In In his demonstration, Forristal used a fake Google Services update that contained malicious code using one of the Fake ID vulnerabilities.The app was delivered along with a social engineering email where the attacker poses as part of the victim's IT department. When the victim goes to install the app, he sees that the app doesn't require any permissions and appears legitimate. Android carries out the installation, and everything appears to be fine.
But in the background, Forristal's app has used a Fake ID vulnerability to automatically and immediately inject malicious code into other apps on the device. Specifically, an Adobe certificate for updating Flash whose information was hardcoded into Android. Within seconds, he had control of five apps on the device--some of which had deep access to the victim's device.
This isn't the first time Forristal has messed around with Android. Back in 2013, Forristal startled the Android community when he unveiled the so-called Master Key exploit. This wide-spread vulnerability meant that fake apps could be disguised as legitimate ones, potentially giving malicious apps a free pass.
Forristal's prsentation didn't just give us the eye-opening news about Android, it also gave us a tool to protect oursevles. Forristal released a free scanning tool to detect this vulnerability. Of course, that still means that people will have to prevent malware from getting on their phones.
The bug has also been reported to Google, and patches are apparently coming out at different levels.
More importantly, the entire attack hinges on the victim installing the app. True, it doesn't have the red flag of asking for lots of permissions, but Forristal said that if users avoid apps from "shady places" (read: outside Google Play) they'll be safe. At least, for now.