ALERT: Fake ID Lets Malware Impersonate Legit Android Apps
New research has uncovered what is being called a critical vulnerability in the Android app digital certification process known as Fake ID. According to reports, Fake ID allows attackers to craft fraudulent digital certificates that will not be verified by the Android package installer, due to a coding flaw that does not correctly verify digital certificate chains. Such certificates can be attached to malware, to impersonate legitimate development companies, including Adobe, Google, and 3LM. Due to the way preloaded applications from these companies are hardcoded into Android devices, malware purporting to be signed by them can gain direct access to other apps. From there, the malware could access personal information stored on breached apps or act as a malicious plugin to manipulate the app in any number of ways. As yet, Google has reportedly made changes that mitigate Fake ID in Android 4.4, but according to Ars Technica the corporation has not issued a formal patch to be applied to all affected versions. For full coverage, see: Android crypto blunder exposes users to highly privileged malware.
For more on digital certificates, look no further than the Emsisoft Knowledgebase.
What is a Digital Certificate?