“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate,” the Bluebox researchers said in a post explaining their discovery.
“Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.”
- Google produces a generic code fix, which it provides to the Android phone manufacturers
- Then phone manufacturers must then incorporate that fix into a firmware update suitable to specific phones, which they provide to carriers
- The carrier then distributes the final update, which ensures your phone is safe from the vulnerability As regards Fake ID, Google has provided the generic code fix to the phone manufacturers.