Fake ID threat for Android


Silver Member
Dec 29, 2009
Reaction score
via Busniess Week:

A new vulnerability has been identified called "Fake ID". This vulnerability can allow hackers to impersonate other application and take control of your phone, and the personal information you may be storing there.

Each Android application has its own digital signature—an ID card, in essence.Adobe Systems (ADBE), for example, has a specific signature on Android, and all programs from Adobe have an ID that’s based on that signature. Bluebox discovered that when an application flashes an Adobe ID, for example, Android does not check back with Adobe that it’s an authentic one. That means that a malicious actor could create malware based on Adobe’s signature and infect your system. The problem isn’t specific to Adobe; a hacker could create a malicious application that impersonates Google Wallet and then access payment and financial data. The same issue applies to administrative software present on some devices, allowing full control of the entire system.

Scary stuff. Especially since most of us do not have a fix yet:

Bluebox concluded its research in late March and submitted the bug to Google by March 31, according to Forristal. The Android security team developed a fix in April and provided the patch to vendors, who had 90 days to implement it before Bluebox publicized its findings, he says. Bluebox has tested about 40 Android-based devices out of more than 6,300 in the market. So far the company knows of only one vendor that has put a patch out, he adds.

Maybe calls to our vendors will get the ball rolling?

Here is the article: