by 2bridges CIO, Ken Lombardi

Don’t worry. The sky is not falling, but after we heard of this problem 2bridges Technologiesthought it was a important enough that we write a blog post to make our clients aware.

Due to the level of access to your personal information this exploit allows it is a good idea to patch this on your android device as soon as possible. As our mobile devices become more and more enmeshed in our work and personal lives lots of information gets stored on these phones and tablets, information that probably should not find it’s way into criminal hands. 2bridges Technologies feels that your data should remain yours.

Specifically this vulnerability allows malicious apps to masquerade as good apps and helps them (the bad guys) past the checks in place to prevent illegitimate apps from being installed on your device (These are not the droids you are looking for). Personal information can be gathered or even complete control of your device can be achieved by the bad guys simply through impersonating a security management feature baked into your device.

Here is what Bluebox Security (authors of an android security app and host to many other services) has to say:

“Users of devices from specific vendors that include device administration extensions are at risk for a partial or full device compromise by malware. The 3LM device extensions (temporarily owned by Motorola and Google) are present in various HTC, Pantech, Sharp, Sony Ericsson, and Motorola devices – and are susceptible to the vulnerability as well.

Other devices and applications that depend upon the presence of specific signatures to authenticate an application may also be vulnerable. Essentially anything that relies on verified signature chains of an Android application is undermined by this vulnerability.”

So. What this means is that there are two methods used to exploit this vulnerability and even if you are running KitKat (android 4.4), which had had the “Adobe System web view plugin privilege escalation” exploit removed – one of the methods (verified signature chains) is still available for bad guys to leverage on your android equipment.

 


Exploration – do you have this vulnerability?Bluebox_securityScan

It is not difficult to determine if your devices are vulnerable to these exploits. Bluebox Security offers an application that will make this very simple, the “Bluebox Security Scanner”.

This is available on the Google Play Store. https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner&hl=en and is free.

Once you install and run Bluebox it will look over your device and give you a screen with a bit of information on it. I want to focus on the “Security Patch Status” container, in particular, the Bug 13678484 (FakeID): item. The screenshot show that the device being tested is Patched. If yours shows ‘Unpatched’ then you should take steps to patch it.

Sadly the directions I have are only for rooted devices. If you haven’t rooted your device you should call your vendor, Verizon, T-Mobile, etc. and ask them how to obviate the risk of this exploit.

 

 

 

 

 


For rooted users only – Patching

We will be using an application available through XDA forums to install a patch for this bug.

Before we move to the that step we need to make a temporary change to our security settings in order to allow us to install that application which doesn’t come directly from the Google Play Store.

You need to go to your Settings or System Settings menu and navigate to Security and then select that menu item. Now find the “Unknown Sources [ ]” choice and check that box.

Remember where you saw this selection because when we are done we want to go back and uncheck that box.

Return to the home screen or use your app selector to choose your browser. Go to the url below.

http://forum.xda-developers.com/xposed/xposed-installer-versions-changelog-t2714053

We are going to install this exposed framework application to enable us to patch the exploit.

 

 

 

 


 

Download:

You can download the installer from http://dl.xposed.info/latest.apk

Quoting from XDA:

First step for everything you do: Create a nandroid backup and make sure you know how to restore it!

I’m not responsible for anything you do with your phone/tablet/rice cooker.

There is also the risk to soft-brick your device. In such a case, see below for ways to recover from it.

Installation of the framework

  1. Download the Xposed Installer APK and install it
  2. Launch the Xposed Installer, go to the “Framework” section and click on
  3. “Install/Update”
  4. Reboot
  5. Done!

You can verify this by starting the Xposed Installer again and making sure that the numbers in the “Framework” section are Green.

After you click the link above you will need to select an application to download the Xposed Installer. If you have more than one browser – select the one you like the best.

After the download begins you will see a downward pointing arrow at the top of your screen (probably the left side) showing you that the file is being download. Now enter your notification area (I pull the screen down from the top – YMMV, Your Mileage May Vary) and click on the file.

It should say something along the lines of:


Download Complete
de.robu.android.xposed.installer_V32_de4f0d.apk

Click on that and install it. Then open the app

xposed_openingpage

Select framework – install and reboot.

xposed_frameworkreboot

 

 


After Rebooting

After rebooting and restarting xposed-installer you will need to download and install a module that will actually do the patching of the exploit. The module is called “Fake ID fix”.

Installation of the FakeID module

Download Fake ID fix module by starting Xposed Installer and selecting the Download section.

Click on the magnifying glass and enter “Fake”

 

 

The Fake ID fix module should be at the top of the filtered list of modules – click it.
Install the module – like any other application – the source link is down near the bottom of the module description page

xposed_FakeIDfix_moduleDescription

Re-enter Xposed and select Modules – Enable the newly installed FakeID fix module by checking the checkbox


 

 

 


Reboot (again)

You should run the Bluebox Security Scanner again and insure that you are now patched.

 

 

 

 

 

 

 

 

 

 

 


If you have any questions about this post or you are uncomfortable with this process please give us a call at 2bridges Technologies (253) 292-9989 and we will be happy to help you.

Your email address will not be published. Required fields are marked *