Recently a well-known and recommended security research organization found a vulnerability in the legitimate certificate validation of the Android system. Hackers can create malicious apps to imitate trusted Android system apps such as Adobe Flash Plug-in, 3LM, etc. Malicious applications will then operate stealthily in user’s mobile devices, secretly stealing account numbers, passwords and other private information, making it a huge threat to all users.
How hackers forge trusted apps
Every Android application has its own certificate which serves as a unique identifier in the Android system, like an ID card. The Android system verifies the authenticity of an app only by referring to this ID. Once the ID is trusted, the app can carry out its operations as requested by users. Apps continue to be authenticated as long as they keep the same ID. In the real world, if one person holds the ID card of another, they can spoof that person’s identity and carry out certain transactions.
Impact of the Fake ID vulnerability
Currently the vulnerability affects devices running Android system versions from 2.1 to 4.3, which encompasses over 80% of Android users, or 100 million people worldwide.
As the Android system reports the malware as having a trusted ID, it’s difficult for the user to detect. For example, once a fake Adobe Flash ID malicious application has been verified by the system and installed on a device, it will be automatically loaded along with a browser and can then steal account credentials for online banking or social networking sites. Android will not know anything is wrong, as it thinks a trusted app is running.
Google and security vendors actively responded to Fake ID
Google published patch as soon as they discovered the vulnerability, and communicated to Samsung, HTC and other partners. At the same time they updated the Google Play app store to prevent applications that exploit the vulnerability from being added.
Users who can not update the system or install the Google Play Store are still at risk. For users who are part of this category, the CM Security Research Lab has developed a warning module and integrated it into CM Browser, Clean Master and CM Security, to provide instant protection and defense against this issue. Install Clean Master or CM Security immediately to ensure your device’s safety in real-time. As the same time surfing the web with CM Browser to prevent malicious plugins.
CM Security Researcher Lab tips:
1. Update your mobile versions to Android 4.4 and above as soon as possible.
2. Download apps from the official Google Play Store to prevent malware infection.
3. Install a reliable antivirus and keep it updated. We recommend using apps Clean Master and CM Security, which were recently awarded title of No.1 antivirus by AV-TEST for the sixth consecutive time.
4. Surfing with a secure browser .
References:
[1] http://bluebox.com/blog/technical/android-fake-id-vulnerability/
[2] https://android.googlesource.com/platform/libcore/+/android-cts-4.1_r4%5E%21/
Posted From Scorpion Sting’s Motorola Droid Maxx!
The Sting Of The Scorpion Blog (T.S.O.T.S.B.) 