Incident: Android Digital Certificates Compromised, Leading to Malicious App Approval

Published Date: 2014-07-29

Postmortem Analysis
Timeline 1. The software failure incident mentioned in Article 136363 happened on the date the article was published, which is December 2, 2022. 2. The software failure incident mentioned in Article 28466 happened before the article was published on July 29, 2014.
System 1. Android mobile operating system 2. Digital certificates used by vendors to validate vital system applications 3. Identity certificates used for app security on Android 4. Certificate chain verification mechanism on Android 5. Specific signatures granting special privileges on Android 6. Android cryptographic code for verifying issuer signatures 7. Android Near Field Communications (NFC) file signature 8. Google Wallet application signature [Cited Articles: #136363, #28466]
Responsible Organization 1. Vendors who used compromised digital certificates to validate vital system applications [136363] 2. Android's cryptographic code that did not adequately verify the certificate chain, allowing for the Fake ID flaw [28466]
Impacted Organization 1. Android device manufacturers such as Samsung and LG were impacted by the software failure incident reported in the articles [136363, 28466].
Software Causes 1. The failure incident was caused by compromised digital certificates used by vendors to validate vital system applications on Android devices [136363]. 2. The incident was also caused by a flaw in Google's mobile software that allowed malicious apps to appear as if they were from legitimate developers due to inadequate checks on the certificate chain [28466].
Non-software Causes 1. Lack of adequate checks on the certificate chain in Android's cryptographic code [28466] 2. Compromised digital certificates used by vendors to validate vital system applications [136363]
Impacts 1. The compromised digital certificates used by Android device manufacturers allowed for the validation of malicious Android apps, potentially leading to the approval of malware with extensive permissions [136363]. 2. The incident highlighted a security vulnerability that could have exposed millions of Android users to attacks from malicious apps appearing to be from legitimate developers [28466]. 3. The flaw in the Android software, named "Fake ID," allowed attackers to create fake identities and gain special privileges, such as launching webview plugins in other applications, potentially leading to the execution of malicious code and infecting devices with malware [28466].
Preventions 1. Regular security audits and penetration testing to identify vulnerabilities and weaknesses in the software [136363]. 2. Implementing robust certificate management practices to ensure the integrity and authenticity of digital certificates used in the software [136363, 28466]. 3. Timely software updates and patches to address known vulnerabilities and mitigate potential risks [136363, 28466]. 4. Enhanced verification mechanisms for certificate chains to prevent unauthorized access and misuse of privileges [28466]. 5. Strengthening security measures in the software supply chain to detect and prevent malicious activities [136363].
Fixes 1. Rotating keys and pushing out fixes to users' phones automatically [136363]. 2. Implementing scanner detections for any malware attempting to abuse compromised certificates [136363]. 3. Deploying mechanisms like Google Binary Transparency to verify the intended, verified version of Android running on a device [136363]. 4. Issuing patches to protect Android users from attacks exploiting flaws in the software [28466]. 5. Enhancing Google Play and Verify Apps to protect users from vulnerabilities [28466].
References 1. Google [136363] 2. Bluebox Labs [28466]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to compromised digital certificates impacting Android devices has happened again at Samsung and LG. In the recent incident, a number of digital certificates used by vendors, including Samsung and LG, were compromised and abused to validate malicious Android apps [136363]. Similarly, in a previous incident named "Fake ID," a flaw in Google's mobile software allowed attackers to create new certificates that appeared to have been issued by trusted entities like Adobe Systems, potentially leading to the installation of malicious apps with elevated privileges [28466]. (b) The software failure incident related to compromised digital certificates impacting Android devices has also happened at multiple organizations beyond Samsung and LG. The incident highlighted in article [136363] mentions that digital certificates from various vendors were compromised, indicating that multiple organizations were affected. Additionally, the "Fake ID" flaw reported in article [28466] revealed a vulnerability in Android's signature verification process that could be exploited by attackers to gain unauthorized privileges, potentially affecting a wide range of organizations and their products/services utilizing Android software.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in Article [136363]. The incident involved compromised digital certificates used by vendors to validate vital system applications on Android devices. These certificates were abused to put a stamp of approval on malicious Android apps, allowing attackers to grant their own software permissions it shouldn't have. This failure was due to a flaw in the design of the privilege model in Android, where different software running on Android phones, including third-party apps and the operating system itself, are restricted based on their needs but were compromised due to the stolen certificates. (b) The software failure incident related to the operation phase can be observed in Article [28466]. The incident, known as "Fake ID," exploited a flaw in Android's app security mechanism, where inadequate checks on the certificate chain allowed an attacker to create a new certificate that appeared to have been issued by a trusted entity like Adobe or Google. This flaw in the operation of Android's security checks enabled malicious apps to gain special privileges without alerting the user, potentially leading to the execution of malicious code on the device and infecting it with malware.
Boundary (Internal/External) within_system (a) within_system: The software failure incident reported in the articles is primarily within the system. In both Article 136363 and Article 28466, the incidents describe vulnerabilities and flaws within the Android operating system itself that were exploited by attackers. In Article 136363, the compromise of digital certificates used by vendors to validate system applications led to the abuse of permissions by malicious Android apps. Similarly, in Article 28466, the "Fake ID" flaw in Android versions 2.1 to 4.4 allowed attackers to manipulate the certificate chain and gain unauthorized privileges on devices. These incidents highlight internal weaknesses within the Android software that were exploited by attackers [136363, 28466]. (b) outside_system: There is no explicit mention in the articles of the software failure incident being caused by contributing factors originating from outside the system. The focus of the incidents is on vulnerabilities, flaws, and compromises within the Android operating system itself that were exploited by attackers. Therefore, the software failure incidents discussed in the articles are primarily within the system, with no significant emphasis on external factors contributing to the failures.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - In Article 136363, it is reported that a number of digital certificates used by vendors to validate vital system applications were compromised and abused to put a stamp of approval on malicious Android apps. This compromise of digital certificates allowed attackers to grant their own software permissions it shouldn't have, leading to the potential creation of malware with extensive permissions [136363]. (b) The software failure incident occurring due to human actions: - In Article 28466, the software failure incident known as "Fake ID" was caused by a flaw in Google's mobile software related to how app security is checked on Android. The problem stemmed from inadequate checks on the certificate chain, allowing an attacker to create new certificates that appeared to have been issued by trusted entities like Adobe Systems or Google Wallet, thereby granting malicious apps extensive permissions without user alert [28466].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The incident reported in Article 136363 involves compromised digital certificates used by vendors to validate vital system applications on Android smartphones like Samsung and LG [136363]. - The compromised "platform certificates" allowed attackers to create malware with extensive permissions without user interaction, indicating a vulnerability in the hardware security model [136363]. (b) The software failure incident related to software: - The incident in Article 28466, known as "Fake ID," was a flaw in Google's mobile software that allowed malicious apps to appear legitimate and gain special privileges by exploiting the certificate chain verification process [28466]. - Bluebox Labs discovered that Android did not carry out adequate checks on the certificate chain, leading to the undermining of the signature system and enabling attackers to run malicious code on devices [28466].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in Article #136363 involved malicious activity. Google revealed that digital certificates used by vendors to validate vital system applications were compromised and abused to put a stamp of approval on malicious Android apps. Attackers abused the compromised certificates to grant their own software permissions it shouldn't have, allowing them to create malware with extensive permissions without needing to trick users into granting them. The incident highlighted the potential security risks and the need for thoughtful design and transparency in security measures [136363]. (b) The software failure incident reported in Article #28466 involved non-malicious factors. The flaw, named "Fake ID" by security company Bluebox Labs, was a result of inadequate checks on the certificate chain in Android's cryptographic code. This flaw allowed an attacker to create a new certificate that appeared to have been issued by a trusted entity, granting malicious applications privileges they shouldn't have. Google issued a patch to address the vulnerability and enhance Google Play and Verify Apps to protect users from potential exploitation of the flaw [28466].
Intent (Poor/Accidental Decisions) accidental_decisions (a) The software failure incident reported in Article #136363 was not due to poor decisions but rather due to a compromise of digital certificates used by vendors to validate vital system applications, leading to the abuse of these certificates to put a stamp of approval on malicious Android apps. Google mentioned that Android device manufacturers had rolled out mitigations, rotating keys, and pushing out fixes to users' phones automatically to address the issue [136363]. (b) The software failure incident reported in Article #28466 was due to a flaw in Google's mobile software named "Fake ID" that allowed malicious apps to appear to come from legitimate developers, exploiting vulnerabilities in the app security checks on Android. Bluebox Labs discovered this flaw, which undermined the signature system by not carrying out adequate checks on the certificate chain, allowing attackers to gain special privileges by creating fake certificates [28466].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident reported in Article 28466 was due to a flaw in Google's mobile software named "Fake ID." This flaw allowed malicious apps to appear as if they were from legitimate developers, potentially exposing millions of Android users to attacks. The issue stemmed from a failure in how app security was checked on Android, specifically in the verification of the certificate chain. Bluebox Labs, the security company that discovered the flaw, highlighted that Android did not carry out adequate checks on the certificate chain, allowing an attacker to create a new certificate that appeared to have been issued by a trusted entity like Adobe Systems or Google. This lack of proper verification led to the exploitation of the signature system, enabling malicious apps to gain unauthorized privileges without user awareness [28466]. (b) The software failure incident reported in Article 136363 involved compromised digital certificates used by vendors to validate vital system applications on Android devices. This incident was not accidental but rather a deliberate compromise of the certificates by attackers to put a stamp of approval on malicious Android apps. The compromised certificates allowed attackers to grant their own software permissions it shouldn't have, potentially leading to the creation of malware with extensive permissions without user consent. The incident highlighted the importance of robust security measures and the need for timely mitigation efforts by Android device manufacturers and Google to address the threat posed by the compromised certificates [136363].
Duration temporary (a) The software failure incident described in Article 136363 was temporary. The incident involved compromised digital certificates used by vendors to validate vital system applications on Android devices. Google stated that Android device manufacturers had rolled out mitigations, rotated keys, and pushed out fixes to users' phones automatically to address the issue. Additionally, Google added scanner detections for any malware attempting to abuse the compromised certificates. The incident was addressed through a consortium known as the Android Partner Vulnerability Initiative, and steps were taken to prevent further exploitation of the compromised certificates [136363]. (b) The software failure incident described in Article 28466 was also temporary. The incident involved a flaw in Google's mobile software named "Fake ID," which allowed malicious apps to appear as if they were from legitimate developers. Bluebox Labs discovered the flaw and highlighted how the Android cryptographic code did not adequately verify the certificate chain, allowing for potential exploitation. Google issued a patch to protect Android users from attacks exploiting the flaw and enhanced Google Play and Verify Apps to protect users. Google stated that they had scanned all applications submitted to Google Play and reviewed from outside of Google Play, finding no evidence of attempted exploitation of the vulnerability [28466].
Behaviour crash, omission, value (a) crash: - Article 136363 mentions a software failure incident where a number of digital certificates used by vendors to validate vital system applications were compromised and abused to put a stamp of approval on malicious Android apps. This could lead to a crash scenario where the system loses its state and may not perform its intended functions properly [136363]. (b) omission: - Article 28466 discusses a flaw in Google's mobile software named "Fake ID" that allowed malicious apps to appear to come from legitimate developers, potentially omitting to perform the intended security checks on the certificate chain. This omission could lead to security vulnerabilities and exploitation of the system [28466]. (c) timing: - There is no specific mention of a timing-related failure in the provided articles. (d) value: - Article 28466 describes how the Fake ID flaw in Android allowed malicious apps to gain privileges they shouldn't have, such as launching webview plugins in other applications without proper verification. This type of failure could be categorized as a value-related issue where the system performs its intended functions incorrectly, granting unauthorized access and privileges [28466]. (e) byzantine: - There is no indication of a byzantine behavior in the provided articles. (f) other: - The articles do not provide information on any other specific behavior of the software failure incident.

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) death: People lost their lives due to the software failure - No information about people losing their lives due to the software failure was mentioned in the articles [Article 136363, Article 28466]. (b) harm: People were physically harmed due to the software failure - There is no mention of people being physically harmed due to the software failure in the articles [Article 136363, Article 28466]. (c) basic: People's access to food or shelter was impacted because of the software failure - The articles do not discuss any impact on people's access to food or shelter due to the software failure [Article 136363, Article 28466]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incidents described in the articles could potentially impact people's data security and privacy as malicious apps could abuse compromised certificates [Article 136363, Article 28466]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of people having to postpone activities due to the software failure in the articles [Article 136363, Article 28466]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incidents primarily focus on the compromise of digital certificates and the potential abuse by malicious apps, impacting the security of Android devices [Article 136363, Article 28466]. (g) no_consequence: There were no real observed consequences of the software failure - The articles clearly outline the consequences of the software failure incidents, particularly related to the compromise of digital certificates and the potential abuse by malicious apps [Article 136363, Article 28466]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discuss potential consequences such as the abuse of compromised certificates by malicious apps, which could lead to extensive permissions without user awareness [Article 136363, Article 28466]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles do not mention any other specific consequences of the software failure beyond those related to data security and potential abuse of certificates by malicious apps [Article 136363, Article 28466].
Domain information, finance (a) The software failure incident reported in the articles is related to the information industry. The incident involves compromised digital certificates used by vendors to validate vital system applications on Android devices, leading to the abuse of these certificates to put a stamp of approval on malicious Android apps [Article 136363]. (h) The incident also has implications for the finance industry as attackers could exploit the compromised certificates to create malware with extensive permissions without user consent, potentially putting financial data at risk [Article 28466]. (m) The software failure incident is not directly related to any other industry mentioned in the options provided.

Sources

Back to List