Serious Android Security Flaw, Fake I.D., Found, Illustrates the Importance of Updates

As a society, we like I.D. cards. They are the manifestation of our trust that a person is who they say they are and that, yes, bartender, the possessor is old enough to enjoy a glass of cognac. But sometimes those I.D.s aren’t right. Sometimes they’re manipulated into stating things that aren’t true of the I.D.’s owner. Sometimes that form of I.D. is pure bunk. And when fake I.D.s are around, our sense of trust is violated.

Our I.D. obsession is also built into our software. Sadly, this software can suffer from similar flaws. Right now, Android—the most widely used mobile operating system in the world—possesses a massive security flaw that makes it possible for hackers to pose as legitimate developers. This helps hackers to spread their malicious software (often called “malware”). They can exploit this flaw by creating fake I.D.s capable of passing Android’s verification process. It’s a flaw that affects up to 82% of Android users, and it’s called “Fake I.D.”

The flaw is the result of how older versions of Android (versions 2.1 up to and including 4.4) check an app’s security. It’s a complicated process that depends on a chain of validation and authorization. Typically, this process is referred to as a “certificate chain.”

A certificate chain—to keep a long post short—essentially establishes that an application has permission to do what it does and that all of the people involved with making said app have been verified by a known authority (a Certificate Authority, if you will). This essentially tells the user, the hardware and other apps that they can trust the app in question.

Unfortunately, as The Guardian’s Tom Brewster illustrates, a flaw in Android allows an attacker to create a faux certificate claiming to be issued from a major software developer like Microsoft. Once created, the attacker would then create a second certificate for a malicious application and merge the two. This merger allows the malicious application’s certificate to gain the same permissions as an actual Microsoft-approved app. A successful attack would allow the attacker to download and run malicious programs on the affected device without the user ever knowing.

And it gets worse. The attack could be replicated through multiple channels. So, hardware features like Android Near Field Communications (NFC) could be used to gain access to other parts of the phone—like Google Wallet, Google’s digital payments service.

So, yes, Fake I.D. is bad. But, thankfully, you can protect yourself from this flaw with a few simple steps.

  • Update your devices regularly. Device updates, like those issued by Google or Apple, often contain critical security patches that will help to harden your device to hackers. Not updating to a newer version of an operating system puts you at risk of flaws like Fake I.D.
  • Know who makes your apps. One of the best ways to avoid bad apps is to check the author of the app in question. In most instances, the author name should either match with the app, or be familiar enough that you know they’re associated with one another. If they’re not, or if you’re not certain if the author is who they say they are, take the time to do some research and determine whether or not the app is legitimate.
  • Reviews matter. In addition to verifying the validity of an app’s creator, scan through an app’s reviews to be make sure they’re overwhelmingly positive. As well, check to see how many downloads an app has. If it’s new to the app store, with few reviews and downloads — you might want to think twice before installing it on your device.
  • Use comprehensive security. With McAfee Mobile Security, free for Android, you can protect your smartphone and/or tablet from bad apps that might attempt to install malware on your devices.

And, of course, stay on top of the latest consumer and mobile security threats by following @McAfeeConsumer on Twitter and Like us on Facebook.



Leave a Comment

four × 1 =