News

Certificate bug made Android apps pretend to be other apps – update

By admin
Spread the love

Until recently, Android did not check the certificate chain of certificates of software to be installed. As a result, a rogue app could, for example, pretend to be an application from Adobe; Adobe apps had more rights in Android up to and including Android 4.3.

The bug was discovered by researchers at Bluebox. In April, Google issued a patch, the company confirmed to the BBC. The patch was rolled out via Google Play Services, the part of Android that can be updated without a full operating system update.

It is not clear whether the security vulnerability has actually been exploited. Android users would have had to download and install a malicious application themselves.

The problem is in the certificate chain. Android apps come with security certificates that can verify the authenticity of an app; the same kind of certificates as in ssl/tls are used for this. Security certificates can be signed with other certificates; for example, a company like Google can sign a certificate for the Gmail app with the Google root certificate, so that it is clear that the app comes from Google.

Until recently, however, Android’s packet manager did not check whether the cryptographic signature with the ‘mother certificate’ was correct. As a result, every app could pretend to be an application from Google or Adobe, for example. This is especially serious in the case of Adobe and Google, because apps from Google in Android automatically have the right to read the nfc chip. Up to and including Android 4.3, Adobe had the right to add a plug-in to the WebView in any other app; probably that right was intended for the Flash plugin, which is no longer supported by Android.

As a result, attackers posing as an Adobe app could essentially break out of the Android sandbox and inject proprietary code into other Android apps. Attackers could also impersonate 3LM, software that can be used on phones from HTC, Sony and Motorola, among others, that can be used to manage phones remotely. By sending a fake 3LM signature, attackers would gain complete control over a device.

Update, 18:12: This article initially stated that users of old Android versions are still vulnerable. However, the update for the bug has been rolled out through Google Play Services, which can be updated separately from the Android installation. The piece has been adapted accordingly.

You might also like
Games

PlayStation has asked that all Gaming Heads merchandise be destroyed. Now your…

News

Rumor: Apple is working on its own applications based on a large language model

News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products

News

Citrix warns of critical vulnerability in NetScaler ADC and Gateway

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin