FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Fake ID

#13678484

With the vulnerability named "Fake ID”, malicious applications can disguise as legitimate trusted applications for Android, using fake or compromised digital signature. This vulnerability can lead to installation and launch of the Trojan program, executing certain dangerous features on a compromised device.

A vulnerability has been identified on versions 2.1-4.4 of the Android devices with uncorrected error 13678484 (some vendors of smartphones and tablets have eliminated this problem by using a special update (patch)).

Dr.Web Anti-virus for Android detects and removes malware that uses this vulnerability even during the installation on the attacked device. Thus, Dr.Web users are effectively protected from this kind of Trojans.

Technical details

Application for Android are digitally signed. This signature can be associated with another signature—parent one (publisher's signature). To form such signatures, a so-called architecture of public keys (Public Key Infrastructure, PKI) is used. The certification authority, that is a publisher of digital certificates using applications, operates within the PKI . If the certification authority is trusted for the given system, all issued certificates (electronic documents containing the digital key) are also considered to be reliable as well as their owner.

The digital signatures play a significant role in the structure of Android security: with their help, the system determines whether update is allowed to the application, what programs can use the data in conjunction with this application, what API features are available to the program, etc. The public key of author's signature is used when verifying application signature. In order to do this, the correctness of the public key must be checked by verifying the appropriate certificate of the certification authority. Thus, the so-called "certificate chain" arises. The essence of the Fake ID vulnerability is that the security system of the vulnerable Android versions does not attempt to authenticate the certificate chain, when installing applications. Therefore, an attacker can create a fake certificate on behalf of a trusted certification authority and use it to sign the application—which thus will be installed on a computer without additional checks.

As an example of such vulnerability can serve the application that an attacker has signed with two certificates: an authentic, issued by the Adobe Systems certification authority and a fake one. When installing such application, the Android package installer does not authenticate the certificate chain, and creates the signature, that uses both certificates, for this application . This application can be used by other applications as a WebView component to play interactive Flash elements and has special privileges within the system. Taking advantage of this, the attackers are able to inject malicious code into other Android applications through the WebView plugin.

See also information about other vulnerabilities