My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Fake ID


With the vulnerability named "Fake ID”, malicious applications can disguise as legitimate trusted applications for Android, using fake or compromised digital signature. This vulnerability can lead to installation and launch of the Trojan program, executing certain dangerous features on a compromised device.

A vulnerability has been identified on versions 2.1-4.4 of the Android devices with uncorrected error 13678484 (some vendors of smartphones and tablets have eliminated this problem by using a special update (patch)).

Dr.Web Anti-virus for Android detects and removes malware that uses this vulnerability even during the installation on the attacked device. Thus, Dr.Web users are effectively protected from this kind of Trojans.

Technical details

Application for Android are digitally signed. This signature can be associated with another signature—parent one (publisher's signature). To form such signatures, a so-called architecture of public keys (Public Key Infrastructure, PKI) is used. The certification authority, that is a publisher of digital certificates using applications, operates within the PKI . If the certification authority is trusted for the given system, all issued certificates (electronic documents containing the digital key) are also considered to be reliable as well as their owner.

The digital signatures play a significant role in the structure of Android security: with their help, the system determines whether update is allowed to the application, what programs can use the data in conjunction with this application, what API features are available to the program, etc. The public key of author's signature is used when verifying application signature. In order to do this, the correctness of the public key must be checked by verifying the appropriate certificate of the certification authority. Thus, the so-called "certificate chain" arises. The essence of the Fake ID vulnerability is that the security system of the vulnerable Android versions does not attempt to authenticate the certificate chain, when installing applications. Therefore, an attacker can create a fake certificate on behalf of a trusted certification authority and use it to sign the application—which thus will be installed on a computer without additional checks.

As an example of such vulnerability can serve the application that an attacker has signed with two certificates: an authentic, issued by the Adobe Systems certification authority and a fake one. When installing such application, the Android package installer does not authenticate the certificate chain, and creates the signature, that uses both certificates, for this application . This application can be used by other applications as a WebView component to play interactive Flash elements and has special privileges within the system. Taking advantage of this, the attackers are able to inject malicious code into other Android applications through the WebView plugin.

See also information about other vulnerabilities

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies