Google Android allows malware to masquerade as legit, trusted apps thanks to weaknesses in the way the operating system checks digital certificates of authenticity.

The flaw, dubbed Fake ID by its discoverers at Bluebox Security, affects all versions of Android from 2.1 (released in 2010) up to Android 4.4. Although Google issued a patch in April, it's feared millions of handhelds are still at risk as not all gadget manufacturers have pushed out the patch.

"A fix has been made for many of 4.x versions and those fixes have been sent to devices manufacturers," Jeff Forristal, chief technology officer of BlueBox, told The Register.

"At this point it's up to the discretion of device manufactures as when to apply that update. Google can't control an open ecosystem in the same way Apple can with its closed model."

The Fake ID problem is due to weakness in the way applications can be trusted by their certificate chain: a vendor like Adobe can digitally sign an app to prove, cryptographically, that it built the software and that it's legit.

Bluebox discovered that a miscreant can create his or her own identity certificate, falsely claim it has been signed by Adobe as trustworthy, and then use that identity certificate to sign a malicious piece of software. That malware, to Android, now looks like Adobe-trusted code and the OS allows it to run with special privileges, no questions asked.

This is entirely possible because the checking process is incomplete: it simply doesn't check up the chain to verify, in this case, that Adobe really did issue the cert.

For example, an attacker could exploit this bug to allow some malware to masquerade as an Adobe webview plugin. The system trusts Adobe webview plugins, such as Flash, and allows them to install and run. Programs that claim to be Adobe plugins have the power to insert code into apps, Bluebox explained. At that point, personal data can be siphoned off, or worse.

Punched in the wallet

Bluebox also says Google's own Wallet payment system is susceptible to the Fake ID attack. Malicious code can harvest credit card numbers, to put it bluntly.

"We appreciate Bluebox responsibly reporting this vulnerability to us; third party research is one of the ways Android is made stronger for users," a Google spokesman told El Reg in an emailed statement.

"After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play and we have seen no evidence of attempted exploitation of this vulnerability."

That Google has issued a patch and is checking Play for applications is welcome, but that still leaves a sizable pool of handsets out there that are still vulnerable. Bluebox has built an application to test for the flaw and has a couple of ideas for those who still haven't got the patch.

"First off, steer clear of unauthorized application stores or markets offering cracked versions of code and only take apps from trusted sources," Forristal advised.

"In addition, if your phone is unpatched then you need to make a customer service enquiry to the phone manufacturer and your carrier and put pressure on for a network update. Keep pressure on both parties to motivate than to be part of the release cycle rather than being lackadaisical about it." ®