There's A Terrifying Android Vulnerability That Could Let Hackers Completely Take Over Your Phone
REUTERS
One of the researches behind the discovery will be presenting his findings at a "Black Hat" talk.
Here's the basic idea: Every Android app has its own unique identity, and this particular vulnerability allows malware to copy that identity, so that it can impersonate your applications without you knowing. Bluebox researchers aptly nicknamed the vulnerability "Fake ID."
Worse, it affects almost all Android phones. Bluebox says the vulnerability dates back to the January 2010 release of Android 2.1 and affects all devices that are not patched for "Google bug 13678484," which was disclosed to Google and released for patching in April.
The root of this vulnerability lies in what's called a "certificate chain," in which encrypted certificates that verify the identities of Android apps can trust each other to communicate and share data. The vulnerability, however, makes it impossible to verify the authenticity of the certificate chain.
Bluebox outlined some of the implications of this exploit:
An attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems - leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.
Bluebox Labs researcher Jeff Forristal said he will offer more technical details of the exploit, including how it was found, and how it works, during his talk at the Black Hat USA conference in Las Vegas, which begins Aug. 2.
If you use Android 4.4 (known as KitKat) or you recieved Google's April patch before your phone was attacked, you're safe.
Bluebox released a free security scanner that will let you know if your phone has been affected.
Next Story
Saudi Arabia wants China to help fund its struggling $500 billion Neom megaproject. Investors may not be too excited.
I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
One of the world's only 5-star airlines seems to be considering asking business-class passengers to bring their own cutlery
Experts warn of rising temperatures in Bengaluru as Phase 2 of Lok Sabha elections draws near
Axis Bank posts net profit of ₹7,129 cr in March quarter
7 Best tourist places to visit in Rishikesh in 2024
From underdog to Bill Gates-sponsored superfood: Have millets finally managed to make a comeback?
7 Things to do on your next trip to Rishikesh
