Beware of Impostor Android Apps Using Fake ID

By on Aug 15, 2014

Recently discovered, an Android vulnerability called Fake ID allows apps to impersonate other apps by copying their identity. Each app has its own unique identity, as defined by the developers, after they create their public/private key pair. This identity is a digital certificate used to cryptographically sign the app package (.apk file for Android) to be later verified by a tool or operating system for authenticity. Yet developers can copy an identity from another app, combine it with the new app’s identity to make a chain of certificates, attach that chain to the new app, and essentially “pose” as the former app. Given the nature of the vulnerability, it is likely that only malicious developers would conduct such activities. In addition, depending on which certificate details are copied, there could be a risk of the malicious application gaining more privileged access to the system or other running applications due to the trusted nature of some certificates.

At the heart of its security model, the Android operating system, like many other contemporary platforms, includes a component capable of verifying application packages via their signatures to ensure they match the app they are attached to. The Fake ID vulnerability fundamentally breaks this verification process and leaves the system unable to verify the authenticity of the certificate chain. This means that one application can claim to be issued by another application or identity. In theory the component should validate the certificate chain by checking the issuer signature of a child certificate against the public certificate of the issuer.

Depending on the behavior of the application installed–or of the certificate copied–and whether that has any default level of trust on the Android platform, data could be leaked from the device or other malicious activities could take place. Given the lack of warnings in all but the latest version of Android, a user would be none the wiser if an exploit had taken place.

Users of Android Versions 2.1, Eclair, through to 4.3, Jelly Bean, are vulnerable to this exploit, but the threat may depend on the hardware manufacturer or the applications on the system as to whether a malicious application could receive elevated privileges.

Google patched this vulnerability in the latest Android, Version 4.4.4, in April and has released the patch to OEMs. All users should make sure they have this version of Android on their devices or should take the measures noted below to make sure they’re not affected.

Depending on the hardware manufacturer and the version of Android, a user may be vulnerable to one or more privileged-attack vectors. Given that this problem relates to chains of certificates, a hacker could choose to include many certificates to cover all options, and more, in their specifically crafted malware.

  1. Install updates: Update your Google Android device to the latest OS–Android 4.4.4. This may be out of your control due to the nature of customization by Google OEMs and telecommunication carriers.
  2. Use security software: Especially if you cannot update your device to the latest version of Android, you could use a new tool provided by McAfee–Fake ID Detector–which enables you to quickly discover if your apps contain the exploit. The McAfee Mobile Security suite will be able to check for the exploit in a future version, but the current version can protect against known malware samples using the vulnerability.
  3. Avoid untrusted app stores: You should know and trust the sources of the applications you are installing. Google has put measures in place to check for this exploit in any app before it becomes available in the market place. Avoid installing applications from third-party market places and especially those attached to or linked to in emails or text messages.


About the Author

McAfee Labs

McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog for more information.

Read more posts from McAfee Labs

  1. Please phone isn’t mine. This is the5 phone i buy due to this. I receive root filesthat aren’t mine. I’m not rooted. My social apps are storing files that aren’t mine. Someone has control of my phone. The server info isn’t right. Month phones id isn’t right..the kernal..everything please help.

    • I would recommend the following steps:
      1. Boot the phone into Safe Mode. You can usually do this by pressing the power button, then holding POWER OFF to bring up the option to restart in Safe Mode. (If this doesn’t work on your device, go ahead and google it. There are some devices that use different steps).
      2. Open SETTINGS and choose APPS, then look at the DOWNLOADED tab.
      3. Take a look through this list for anything that looks odd. If you see something weird, google it and find out if it’s legit. If it isn’t, Uninstall it. If you can remember about when the phone started acting up, that would also help you know which apps to suspect.
      If the uninstall button is grayed out, that means the virus has device admin rights, and that’s a little trickier. In that case:
      2. Uncheck the box for that app, then DEACTIVATE it on the next page.
      3. Now you should be able to go back to APPS, DOWNLOADED and remove that app.

      If this sorts you, BACK UP YOUR PHONE NOW. If not, you might need to contact our Technical Support for further assistance (

      If you have a backup from before these behaviors started, you could also reset to factory and restore. While in a factory setup, though, you should test if the behaviors still exist. That would be indicative of a problem with the device hardware itself, and you might need to contact your manufacturer at that point.

      I hope this helps, good luck!!

Subscribe to McAfee Securing Tomorrow Blogs