Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Fake ID

#13678484

With the vulnerability named "Fake ID”, malicious applications can disguise as legitimate trusted applications for Android, using fake or compromised digital signature. This vulnerability can lead to installation and launch of the Trojan program, executing certain dangerous features on a compromised device.

A vulnerability has been identified on versions 2.1-4.4 of the Android devices with uncorrected error 13678484 (some vendors of smartphones and tablets have eliminated this problem by using a special update (patch)).

Dr.Web Anti-virus for Android detects and removes malware that uses this vulnerability even during the installation on the attacked device. Thus, Dr.Web users are effectively protected from this kind of Trojans.

Technical details

Application for Android are digitally signed. This signature can be associated with another signature—parent one (publisher's signature). To form such signatures, a so-called architecture of public keys (Public Key Infrastructure, PKI) is used. The certification authority, that is a publisher of digital certificates using applications, operates within the PKI . If the certification authority is trusted for the given system, all issued certificates (electronic documents containing the digital key) are also considered to be reliable as well as their owner.

The digital signatures play a significant role in the structure of Android security: with their help, the system determines whether update is allowed to the application, what programs can use the data in conjunction with this application, what API features are available to the program, etc. The public key of author's signature is used when verifying application signature. In order to do this, the correctness of the public key must be checked by verifying the appropriate certificate of the certification authority. Thus, the so-called "certificate chain" arises. The essence of the Fake ID vulnerability is that the security system of the vulnerable Android versions does not attempt to authenticate the certificate chain, when installing applications. Therefore, an attacker can create a fake certificate on behalf of a trusted certification authority and use it to sign the application—which thus will be installed on a computer without additional checks.

As an example of such vulnerability can serve the application that an attacker has signed with two certificates: an authentic, issued by the Adobe Systems certification authority and a fake one. When installing such application, the Android package installer does not authenticate the certificate chain, and creates the signature, that uses both certificates, for this application . This application can be used by other applications as a WebView component to play interactive Flash elements and has special privileges within the system. Taking advantage of this, the attackers are able to inject malicious code into other Android applications through the WebView plugin.

See also information about other vulnerabilities

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040