People using Google’s Android operating system was recently caught with a bug called Fake ID. While Android is considered pretty stable and safe operating system there are some vulnerabilities that come time to time. some of them needs Google to release a minor revision to their operating system.
It allows the attackers to steal data and essentially take over a phone. Fake ID a vulnerability that allows malicious apps to impersonate trusted services without user notification. Fake ID also allows the hackers to take control of a device through change in its settings. It does not require any action or approval from the device owner and every action taken are hidden. The security hole which allows malware to impersonate apps, is said to have the capability to steal sensitive information such as credit card number. The malware does not need the permission of the user to take control of the device.
Every Android application has its own unique identity inherited by the corporate developers. The bug will copy the identifies and use them for criminal purpose. Using this vulnerability hackers could pose as Google Wallet to access financial and payment data and take control of an entire device by imitating enterprise security service. Fake ID works by exploiting Android’s method of handling certificates which verifies that an app. If an attacker can create a new digital identity certificate and claims that identity certificate was issued by the Adobe systems and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe System certificate. After installation the Android package installer will not verify the claim of the malicious identity certificate and create a package signature that contains both certificates. This allows the application to be granted the special web view plugin by adobe system. Thus insertion of malicious code in other application.
In short hackers fabricate a set of identities for a malware app and the set of permissions will be kept minimal when the malicious app is installed. A malware application can exploit multiple identities. Fake ID is especially dangerous because unlike other malware which is general.
This is presents serious threat to security as the bug is not limited to one app. A payment app such as PayPal or Google Wallet could be taken advantage of. Even the device management software could be fooled by this hackers can get full control of device.
This bug was fixed by development team and sent it to manufacturers.
Android users need to understand and develop security awareness among them in order to keep their device secure.