Recently discovered, an Android vulnerability called Fake ID allows apps to impersonate other apps by copying their identity. Each app has its own unique identity, as defined by the developers, after they create their public/private key pair. This identity is a digital certificate used to cryptographically sign the app package (.apk file for Android) to be later verified by a tool or operating system for authenticity. Yet developers can copy an identity from another app, combine it with the new app’s identity to make a chain of certificates, attach that chain to the new app, and essentially “pose” as the former app. Given the nature of the vulnerability, it is likely that only malicious developers would conduct such activities. In addition, depending on which certificate details are copied, there could be a risk of the malicious application gaining more privileged access to the system or other running applications due to the trusted nature of some certificates.
At the heart of its security model, the Android operating system, like many other contemporary platforms, includes a component capable of verifying application packages via their signatures to ensure they match the app they are attached to. The Fake ID vulnerability fundamentally breaks this verification process and leaves the system unable to verify the authenticity of the certificate chain. This means that one application can claim to be issued by another application or identity. In theory the component should validate the certificate chain by checking the issuer signature of a child certificate against the public certificate of the issuer.
Depending on the behavior of the application installed–or of the certificate copied–and whether that has any default level of trust on the Android platform, data could be leaked from the device or other malicious activities could take place. Given the lack of warnings in all but the latest version of Android, a user would be none the wiser if an exploit had taken place.
Users of Android Versions 2.1, Eclair, through to 4.3, Jelly Bean, are vulnerable to this exploit, but the threat may depend on the hardware manufacturer or the applications on the system as to whether a malicious application could receive elevated privileges.
Google patched this vulnerability in the latest Android, Version 4.4.4, in April and has released the patch to OEMs. All users should make sure they have this version of Android on their devices or should take the measures noted below to make sure they’re not affected.
Depending on the hardware manufacturer and the version of Android, a user may be vulnerable to one or more privileged-attack vectors. Given that this problem relates to chains of certificates, a hacker could choose to include many certificates to cover all options, and more, in their specifically crafted malware.
- Install updates: Update your Google Android device to the latest OS–Android 4.4.4. This may be out of your control due to the nature of customization by Google OEMs and telecommunication carriers.
- Use security software: Especially if you cannot update your device to the latest version of Android, you could use a new tool provided by McAfee–Fake ID Detector–which enables you to quickly discover if your apps contain the exploit. The McAfee Mobile Security suite will be able to check for the exploit in a future version, but the current version can protect against known malware samples using the vulnerability.
- Avoid untrusted app stores: You should know and trust the sources of the applications you are installing. Google has put measures in place to check for this exploit in any app before it becomes available in the market place. Avoid installing applications from third-party market places and especially those attached to or linked to in emails or text messages.