ALERT: Fake ID Lets Malware Impersonate Legit Android Apps


fakeIDAttention: Android users running Android 2.1 to 4.4 may be vulnerable to a critical bug.

New research has uncovered what is being called a critical vulnerability in the Android app digital certification process known as Fake ID. According to reports, Fake ID allows attackers to craft fraudulent digital certificates that will not be verified by the Android package installer, due to a coding flaw that does not correctly verify digital certificate chains. Such certificates can be attached to malware, to impersonate legitimate development companies, including Adobe, Google, and 3LM. Due to the way preloaded applications from these companies are hardcoded into Android devices, malware purporting to be signed by them can gain direct access to other apps. From there, the malware could access personal information stored on breached apps or act as a malicious plugin to manipulate the app in any number of ways. As yet, Google has reportedly made changes that mitigate Fake ID in Android 4.4, but according to Ars Technica the corporation has not issued a formal patch to be applied to all affected versions. For full coverage, see: Android crypto blunder exposes users to highly privileged malware.

For more on digital certificates, look no further than the Emsisoft Knowledgebase.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

 

Senan Conrad

Senan Conrad

Senan specializes in giving readers insight into the constantly and rapidly changing world of cybersecurity. When he’s not tapping away at his keyboard, he enjoys drinking a good coffee or tinkering in his workshop.

What to read next