New Android 'Fake ID' flaw empowers stealthy new class of super-malware

2456

Comments

  • Reply 21 of 103
    evilutionevilution Posts: 1,399member
    Quote:

    Originally Posted by WisdomSeed View Post



    While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.

    Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.

    What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.

  • Reply 22 of 103
    chipsychipsy Posts: 287member
    evilution wrote: »
    Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.
    What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.
    If it has to be a system update then you would be right (there is btw a fix for it in 4.4.4 with the only danger there being NFC but who in there right mind installs a Google Wallet app from outside of the Play Store?). But it might also be possible that the security update can be pushed by the Play Store's new Dynamic Security Provider (new since June). It has already been used to fix some OpenSSL issues so it might also be capable of delivering a fix for this. Which would mean that 93% of all devices get the update.
  • Reply 23 of 103
    MacProMacPro Posts: 19,822member
    acatomic wrote: »
    I forgot to say that it's not a Mac, it's an iPad and it's not jailbroken.

    Ah ... OK sorry, I am using a Mac as I read and assumed .... my bad.
  • Reply 24 of 103
    dasanman69dasanman69 Posts: 13,002member
    To quote the first paragraph...

    "The problem affects virtually all Android phones sold since 2010. Bluebox calls the flaw "Fake ID" because it allows malware apps to pass fake credentials to Android, which fails to properly verify the app's cryptographic signature. Instead, Android grants the rogue app all of the access permissions of whatever legitimate app the malware claims to be."

    So, I guess the specific names will be up to the creators.

    You redirected the OP's question. To me it read 'can anyone tells us of any documented infections by a 'super malware' using the Fake ID method?'.
  • Reply 25 of 103
    Quote:

    Originally Posted by WisdomSeed View Post



    While it sounds menacing, has the exploit actually been found in the wild? I'm never sure where the terror starts, there is a vast difference between 'can/might' and 'did'.



    Quote:

    Originally Posted by cnocbui View Post

     

    So can anyone actually name an instance of this 'super-malware' or is the title perhaps ever so slightly misleading?




    Quote:

    Originally Posted by Chipsy View Post





    The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware.

     

     

    I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it, right?

     

    Android is a clusterfu&^ of an OS. A patched together hobbled pile of doo doo. Google is NOT Apple (or Microsoft), who have combined close to 70 years of OS development experience.

  • Reply 26 of 103
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by digitalclips View Post

     
    I see what you are trying to say there ... but surely not ripping of iOS in the first place would have been a better way to achieve 'good terms' with Apple?


    No doubt Android copied iOS. The problem is that 'ripping off' as you say, is apparently not a legal infringement, otherwise Apple would have filed a suit against them. Everyone wants to take advantage of someone else's good idea. The trick is to do it without violating any patents. It is better, in my opinion, that another US company established the predominate alternative to iOS rather than some Chinese or Korean company. At least Google is bound by US law.

  • Reply 27 of 103
    chipsychipsy Posts: 287member
    Quote:
    Originally Posted by EricTheHalfBee View Post

     

     

     

    I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it, right?

     

    Android is a clusterfu&^ of an OS. A patched together hobbled pile of doo doo. Google is NOT Apple (or Microsoft), who have combined close to 70 years of OS development experience.




    lol that's what you have as an answer. You logic completely fails here. It wouldn't be like you said 'I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it'

    My reply was more along the lines of: 'Someone found a vulnerability in Windows but there is no known malware that uses that specific vulnerability to its advantage'.

    My reply by no means insinuated that there is no malware on Android (or Windows for that matter). Just that there is no malware that exploits this vulnerability. Just like Apple's SSL verification issue it's a theoretical danger for now (which of course needs fixing).

  • Reply 28 of 103
    Quote:

    Originally Posted by Chipsy View Post

     



    lol that's what you have as an answer. You logic completely fails here. It wouldn't be like you said 'I have never had a malware issue on my Windows PC. I guess that means Windows malware doesn't exist, and nobody has ever exploited it'

    My reply was more along the lines of: 'Someone found a vulnerability in Windows but there is no known malware that uses that specific vulnerability to its advantage'.

    My reply by no means insinuated that there is no malware on Android (or Windows for that matter). Just that there is no malware that exploits this vulnerability. Just like Apple's SSL verification issue it's a theoretical danger for now (which of course needs fixing).


     

    It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."

     

    I'm dying for you to tell me how you know there are no real world examples.

     

     

    On a related note:

     

    - If you download apps from Google Play and avoid third party sites, then you won't get malware.

    - If you're too stupid to check the permissions of an app you install, you deserve to get malware.

    - Google will fix this before anyone uses it.

    - BTW, is anyone actually using it? I demand proof.

     

    Does that cover all the excuses usually thrown around? Did I miss any?

  • Reply 29 of 103
    macbook promacbook pro Posts: 1,605member
    evilution wrote: »
    Considering that he will be telling everyone all about it next week, I'm sure there'll be plenty of people ready to utilise the new method.
    What can Google do about it? Release an update to Android? That'll help the 100 or so people who update.


    Sadly, according to market surveys approximately 40% of Google Android users will not be able to receive a security update when and if a security update is ever available.
  • Reply 30 of 103
    dasanman69dasanman69 Posts: 13,002member

    I have never had a malware issue on my Windows PC.

    Really? You were either extremely careful, or fortunate, because my old Win XP PC was a malware magnet.
  • Reply 31 of 103
    chipsychipsy Posts: 287member
    It fits your original comment which stated "The title is indeed somewhat misleading as there are no real world examples of this vulnerability being used by malware."

    I'm dying for you to tell me how you know there are no real world examples.


    On a related note:

    - If you download apps from Google Play and avoid third party sites, then you won't get malware.
    - If you're too stupid to check the permissions of an app you install, you deserve to get malware.
    - Google will fix this before anyone uses it.
    - BTW, is anyone actually using it? I demand proof.

    Does that cover all the excuses usually thrown around? Did I miss any?

    Here's a key sentence used by the discoverers:"This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device."
    It can lead to malicious apps exploiting this vulnerability. But at this moment in time there aren't any known.
    Btw the discoverers of the exploit will also release a free security scanning tool that protects you from it. So a fix through the Play Store seems possible.
  • Reply 32 of 103
    dasanman69dasanman69 Posts: 13,002member
    Sadly, according to market surveys approximately 40% of Google Android users will not be able to receive a security update when and if a security update is ever available.

    But remember those people don't get apps nor browse the Web, so they're good. ;)
  • Reply 33 of 103
    dasanman69dasanman69 Posts: 13,002member
    chipsy wrote: »
    Here's a key sentence used by the discoverers:"This can lead to a malicious application having the ability to steal user data, recover passwords and secrets, or in certain cases, compromise the whole Android device."
    It can lead to malicious apps exploiting this vulnerability. But at this moment in time there aren't any known.
    Btw the discoverers of the exploit will also release a free security scanning tool that protects you from it. So a fix through the Play Store seems possible.

    I agree with [@]EricTheHalfBee[/@] on this one. The researchers have no real knowledge if anyone else has discovered this exploit, and has used it. They used the word 'can' because they don't know definitively if it's been used or not.
  • Reply 34 of 103
    chipsychipsy Posts: 287member
    dasanman69 wrote: »
    I agree with [@]EricTheHalfBee[/@] on this one. The researchers have no real knowledge if anyone else has discovered this exploit, and has used it. They used the word 'can' because they don't know definitively if it's been used or not.
    But there is no evidence whatsoever that it has been. Should we just ignore that and just assume it has based on nothing. Then the same could have been done for Apple's SSL verification issue. There were also no known malware exploits but should we have just said then that there were without evidence? That's a bit ridiculous. Furthermore the discoverers have an app that scans apps for it. Surely they used it already to scan apps on the Play Store (of course not all) and if it would have been a wide spread problem when it comes to malware exploiting the issue they would have been able to detect this already.

    Edit: apparently Google completely scanned the Play Store and no exploits were found. They also updated Verify Apps and Google Play to protect users from it until the definite fix (which is already sent to OEM's and AOSP) is implemented by OEM's.
  • Reply 35 of 103
    ralphmouthralphmouth Posts: 192member

    How do you fix the flaw on all those billions of Android phones that have been sold since 2010?

     

    This is the main difference between Android and iOS that the anti-iOS crowd ignores. Flaws and security breaches are found in both OSes all the time. However it is a lot easier to get the fix out to all the iOS devices. 

  • Reply 36 of 103
    MacProMacPro Posts: 19,822member
    dasanman69 wrote: »
    You redirected the OP's question. To me it read 'can anyone tells us of any documented infections by a 'super malware' using the Fake ID method?'.

    Oops sorry, I do that more and more these days ... I need new glasses or another coffee. Apologies...
  • Reply 37 of 103
    MacProMacPro Posts: 19,822member
    mstone wrote: »
    No doubt Android copied iOS. The problem is that 'ripping off' as you say, is apparently not a legal infringement, otherwise Apple would have filed a suit against them. Everyone wants to take advantage of someone else's good idea. The trick is to do it without violating any patents. It is better, in my opinion, that another US company established the predominate alternative to iOS rather than some Chinese or Korean company. At least Google is bound by US law.

    I guess that was Bill Gates thinking too. The problem is as others posted earlier, it is deliberately calculated that by the time the courts do anything it is too late and the fines are more than covered by ill gotten gains. Only major players can do this, Gates with IBM's backing and now Google and Samsung. If you or I tried to sell a rip off we'd be crushed. There is something not right about the big boys stealing and profiting just because of the system.
  • Reply 38 of 103
    singularitysingularity Posts: 1,328member
    A Google spokesperson said that after Bluebox’s disclosure, it quickly issued a patch that was distributed to Android partners and to the Android Open Source Project.

    “Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” the spokesperson added.

    [URL]http://www.theguardian.com/technology/2014/jul/29/android-fake-id-flaw-google-patch [/URL]
    Not that I have to worry on my nexus 7.
  • Reply 39 of 103
    MacProMacPro Posts: 19,822member
    A Google spokesperson said that after Bluebox’s disclosure, it quickly issued a patch that was distributed to Android partners and to the Android Open Source Project.

    “Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability,” the spokesperson added.

    http://www.theguardian.com/technology/2014/jul/29/android-fake-id-flaw-google-patch
    Not that I have to worry on my nexus 7.

    Loved the comment below that article by this wag BensonBenson ... "I always use Microsoft products, to avoid any sort of fraud or hacking issues..." I nearly snorted my coffee down my nose.
  • Reply 40 of 103
    matt45matt45 Posts: 9member
    Quote:

    Originally Posted by acatomic View Post





    I forgot to say that it's not a Mac, it's an iPad and it's not jailbroken.

    The other way to load an app outside of the app store is by using a signed adhoc provisioning profile (which you're typically limited to an audience of 100 devices) or an enterprise provisioning profile (I think has no limit) both of which must have a valid Developer Apple ID account and can be blocked by Apple if it wishes to do so.

     

    Did you get a prompt to install a certificate before installing the update?

     

    something like this:

     

Sign In or Register to comment.