Fake ID is a new vulnerability on Android discovered by Bluebox labs. It is a dangerous bug and can affect every Android device. It is a big concern for those devices with old Android version that no longer receive firmware updates.
The “Fake ID” vulnerability affects the way Android processes the digital signature identities attached to apps from a handful of vendors. The operating system is configured to automatically accept apps from certain vendors like Adobe apps. Those apps also can automatically plug into other apps and devices hardware, that other apps can’t do.
Also Read: How to Check If Your Device Is Affected By Heartbleed OpenSSL Bug
An attacker can create a new identity certificate and forge a claim that the identity certificate was issued by Adobe, then create an app that contains both certificates, a malicious identity and the Adobe certificate too. When you install the app the Android package installer will not verify the claim of malicious identity certificate and it will create a package that contains both certificates.
This tricks the certificate-checking code in the webview plugin manager, which checks the chain for Adobe certificates. This trick allows the application to take plugin privileges given to Adobe Systems. It escapes from the Sandbox and inserts the malicious code in the form of webview plugin into other apps.
Also Read: How To Fix Fake ID Vulnerability On Android
Bluebox has created an app so you can scan your device and to detect if your system is vulnerable. It is called Bluebox Security Scanner. It is available on the Play Store and can be downloaded here.