Android ‘Fake ID’ bug lets criminals gain access to Android users’ credit card data

“An Android flaw has been uncovered that lets malware insert malicious code into other apps, gain access to the user’s credit card data and take control of the device’s settings,” Leo Kelion reports for BBC News. “BlueBox Labs said it was particularly concerning as phone and tablet owners did not need to grant the malware special permissions for it to act.”

“The company added it had alerted Google to the problem in advance to allow it to mend its operating system. Google confirmed it had created a fix,” Kelion reports. “However, the many thousands of devices still running versions of the operating system ranging from Android 2.1 to Android 4.3 and have not been sent the fix by relevant network operators and manufacturers remain vulnerable if they download apps from outside the Google Play store.”

Jeff Forristal, chief technology officer of BlueBox, gave three examples of how a faked certification signature might be used to cause harm:

• The app pretends to be created by Adobe Systems – Adobe is granted the privilege of being able to add code to other apps in order to support their use of its Flash media-player plug-in. The malware can take advantage of this to install Trojan horse malware into otherwise authentic programs.

• The app uses the same ID used by Google Wallet – the search firm’s mobile payment software is usually the only app allowed to communicate with the secure hardware used to make credit card transactions via a phone’s tap-to-pay NFC (near field communication) chip. By exploiting this, the malware can obtain financial and payment data that would otherwise be protected.

• The app impersonates 3LM software – many manufacturers add their own skins to Android to customise their devices’ user interfaces and functions. In the past, HTC, Sony, Sharp, Motorola and others did this by using extensions created by a now defunct business called 3LM. By masquerading as 3LM’s software, malware could take full control of the relevant devices and both uninstall their existing software as well as adding spyware, viruses and other damaging content of its own.

Read more in the full article here.

MacDailyNews Take: Fragmandroid. Open – as in, wide.

Android fragmentation and malware

Smart buyers don’t settle for insecure knockoffs of Apple revolutions.

[Thanks to MacDailyNews Readers “Brawndo Drinker” and “Dan K.” for the heads up.]

Related articles:
Crucial security flaw found in Google Play: Thousands of secret keys found in Android apps – June 19, 2014
With iOS 8, Apple makes iOS even more secure ahead of smartphone security competition – June 10, 2014
iOS 8′s extensions explained: Opening the platform while keeping it secure – June 9, 2014
New iOS 8 feature lets users cloak their iPhones from tracking by retailers, marketers, other companies – June 9, 2014
New malware takes Android phones hostage, demands ransom for unlock – June 5, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013
FBI issues warning over Android malware attacks – October 15, 2012
Researchers discover serious flaw in Android app security, say HTC and Samsung ignore issue – September 28, 2012
Apple’s iPhone has passed a key security threshold – August 13, 2012
Android permissions flaw allows eavesdropping, data theft, location tracking – December 2, 2011
Massive HTC Android security flaw leaves security expert speechless – October 2, 2011
Apple’s iOS unaffected by malware as Android exploits surge 76% – August 24, 2011
Android malware records phone calls; iPhone users unaffected – August 2, 2011
Symantec: Apple iOS offers ‘full protection,’ Google Android ‘little protection’ vs. malware attacks – June 29, 2011
Malware apps spoof Android Market to infect Android phones – June 21, 2011
Google forced to pull several malware-infested apps from Android market – June 8, 2011
Android malware sees explosive growth; even faster than with PCs – April 27, 2011
Virus-laden apps infest Google’s ‘open’ Android platform; iPhone unaffected – March 3, 2011
Security firm warns of new Android trojan that can steal personal information; iPhone unaffected – December 30, 2010
Trojan infects Android smartphones; iPhone unaffected – August 10, 2010
Millions of Android phone users slammed by malicious data theft app – July 29, 2010
Unlike proactive Apple, reactive Google doesn’t block malware from Android app store – June 4, 2010
Malware designed to steal bank information pops up in Google’s Android app store – January 11, 2010

25 Comments

  1. Dr Steven Murdoch, a security expert at the University of
    Cambridge’s computer laboratory agreed this was a serious
    flaw. But he added that most device owners should still be
    able to avoid being affected.
    “Google will be looking for people who are exploiting this
    vulnerability in applications being distributed through its
    own Google Play store,” he said.
    “So, if that’s the only place that you get apps from, you are
    in a relatively good position.
    “But if you download applications from other sources you
    will be putting yourself at risk.”
    A spokeswoman from Google confirmed that the company
    had scanned all the applications in its own store as well as
    some of those elsewhere.
    “We have seen no evidence of attempted exploitation of this
    vulnerability,” she added.

    All OSes have flaws that can be manipulated maliciously, it all depends on how the company behind the OS reacts to neutralizing these flaws. I must say, as open as Android is Google has done a great job keeping it safe for its end users

    1. Seems like there is a new major Android exploit reported every week or two. What about all the exploits researches haven’t detected? Feel safe now? I suggest taking a jack hammer to your clown phone.

  2. I haven’t used malware protection piece of software for a Mac since 1992-3, and never for iOS. I’ve had zero problems with malware. It’s an alternate universe from Android and Windows.

    And don’t give me that crap about being careful and it’s just as secure as Apple’s world. When your opportunities for something to go wrong are 10s of thousands more likely, it eventually will.

    1. From my over-protective perspective:

      iOS doesn’t need any malware protection. Period. There have been a three (that I recall) proof-of-concept malware that snuck in, but Apple jumped on them (mostly) with rapid speed.

      For protecting both your Mac and any Windows users with whom you correspond, just get ClamXav. It’s free, it’s constantly being updated and upgraded. It nails the vast majority of both Windows and Mac malware. I personally know and am involved with the folks who keep its Mac malware definitions up-to-date. It runs very nicely on Macs without killing your CPU. /download-pitch

      1. I’ll also point out for newbies that OS X includes two systems for keeping out and killing malware:

        1) Gatekeeper, which is the development name for the ‘Allow applications downloaded from’ interface in the Security & Privacy system preferences. It effectively blocks all Mac software that has not been signed with an Apple approved security certificate (unless you override it or some scammer has stolen a developer’s certificate).

        2) XProtect, which stops the installation of known malware. Apple is constantly keeping it updated (mostly).

        Both of the above have proven to be so successful that recent attempts at inflicting malware on Mac users has effectively dropped to ZERO. (Adware is another matter! And always beware running Java or Flash on the Internet!)

    2. Same story here. Have owned Macs since ’89 and have had no instances of malware, same goes for iOS (bought original iPhone the first day they were sold).

  3. Android is getting HAMMERED with security hole revelations this week, and we’re only three days in! Check out this spooky Android hack:

    Malware gets your Android blabbering to HACKERS
    Boffins get your mobe to spill the beans using Google text-to- speech kit

    Researchers from the Chinese University of Hong Kong have developed bizarre malware that dictates contacts, emails and other sensitive text data in order to steal it.

    In the novel attack a seemingly innocuous app that required no permissions called a bad guy’s phone number and blabbered the stolen data out of the speakers and down the microphone using Google Voice Services (GVS).

    It affected ‘nearly all’ Android devices and could not be detected by VoicEmployer malware or victims, provided savvy hackers conducted the attack in the wee hours with the volume turned down.

    Google: Mind the malware dammit! This is evil!

    1. Kaspersky’s report (from February) has already been scrutinized and found to be correct.

      I suspect you didn’t understand exactly what it stated. The ’10 million’ figure is taking about individual pieces of Android malware software. It is NOT talking about strains of Android malware. This figure indicates the number infections from malware onto Android devices.

      As for the number of malware strains, check out the first sentence in the article:

      By late January 2014 Kaspersky Lab had accumulated about 200,000 unique samples of mobile malware, up 34% from November 2013…

      But note that even ‘200,000’ is not counting actual Android malware strains. It’s only counting ‘samples’. There are likely to be redundant samples from the same source malware. I’m personally not aware of a definitive count of Android malware. Part of the problem is the continuing EXPONENTIAL increase in Android malware strains, making it impossible to keep up with them at this time. But it is entirely logical to expect there are thousands of Android malware strains at this time.

      If there are others who have kept better track of Android malware numbers, please add to my comments!

      Meanwhile, it is shockingly naive to consider Google’s protection from Android malware to be remotely adequate. And of course, you’re an idiot if you get Android software from some untrusted third party source. Android devices ABSOLUTELY require anti-malware applications running full time. If you’re not using one, you’re BEGGING to get infected. You’re also entirely unrealistic.

      1. I’m glad I was never bitten by an Android bug. The last time I checked there were 11 pieces of malware targeting iOS. 2 found in the App store and quickly deleted, 1 proof-of-concept never released into the wild and 8 targeting jailbroken iPhones.

        As for the Android malware number, I was thrown by the fact that it’s an order of magnitude higher than the number of apps in Google’s store!

    2. The facts are pretty clear and you can easily see it in action for yourself. Just activate any random android phone on a public network and wait a few hours. Then google your SSN and check out all the hits showing up in China.

  4. If you say Ok, google – what’s up with Eric T Schmidts face? It’ll secretly retaliate by granting root permissions to any app that wants it for the next 24hrs.

  5. What Gnoff said is perfectly true. It’s sad he gets down voted when he raises a valid point (even if you dislike it).

    Google’s statement:

    —————–
    After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.
    —————–

    I won’t even mention the updates sent to Android partners… We all know the situation but the important points are the following ones:

    No single app in the playstore used this exploit nor can any new application using it be added to the playstore… This means that except if the application comes from a side load AND the user explicitly allows the installation from external sources (which comes with multiple warnings), nothing can happen.

    Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behavior. In this case, an application (even a side loaded one) that tries to exploit this flaw will simply be blocked from installing or running. To completely disable Verify App you must go through a procedure that no Joe user would go through.

    In short you need to install an infected app (not a single one has been detected for now) from a side load AND disable Verify App to potentially be touched by this vulnerability.

    It’s about the same as Jailbreaking your iPhone, going on SuperFreeSoft.RU to download an application, install it and then complain about iOS security.

    This is just PR BS. If you think more than 2 seconds about it and if you get a bit over your primal Android bashing habit you’ll also see it.

    1. The usual fandroid lies. Android owns 99.8% of the mobile malware market and google damn well knows it.

      It’s a well documented fact that only a wilful imbecile could possibly try to deny.

      1. The usual Fanboy lie.

        99.8% malware run on Android platform BUT extremely few (And I mean really extremely few) infections have been reported as long as the user didn’t left Google’s Playstore.

        By some sides Android’s security model is even stronger than the one of iOS that relies only on Apple’s control over the App Store.

        Learn something here and grow up a bit before insulting people…

        http://qz.com/131436/contrary-to-what-youve-heard-android-is-almost-impenetrable-to-malware/

        Article is a bit old but still interesting

        1. Warm fuzzy feelings from an obviously google sponsored article aren’t going to protect your credit card data – especially if it then ends up getting used on some highly deviant pornography websites.

          I wouldn’t be inclined to chance it personally.

          1. You arguments are of such a high quality and so filled up with high level and relevant technical arguments that I can only admit my defeat.

            I don’t think I’ll be able to reach the heights were you live. So please understand I won’t be able to answer you anymore.

            I hope you feel better now 😉

  6. How long is Android going to get bashed with malware attack ‘maybes’. The comparisons to Windows are just uncalled for. Have you ever heard of a serious case of an Android Malware attack, compare THAT to windows. Give the Devil its due, Google have done an incredible job in keeping Android secure. Stop crossing your fingers & hoping for an Android malware ‘wipeout’ and deal with the fact that it is massively difficult to get Android Malware unknowingly.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.