The FakeID vulnerability is a major vulnerability on Android this year, which affects all Android versions since 2.1, says BlueBox inc – the same company published the “master key” vulnerability last year.
This vulnerability is caused by the insufficient check when verifying whether or not a subject certificate belongs to its issuer. The low-level Java code of Android checks whether the subjectDN to issuerDN matches, but doesn’t check whether they are actually signed by the same public key. This allows an attacker to forge an app that passes the subject certificate check, and let Android believe it could share the permission of another app. The full report can be found here: http://goo.gl/nQ5gIb .
The Adobe webview plugin became a perfect target for such kind of attack. After disguised as a legit 3rd party plugin and tricked the webview plugin manager, a malicious app could be granted special permission of the Adobe Systems. Afterwards the app could escape the sandbox, do some nasty things such as access NFC hardware used in secure payments, and take device administrative control without any prompt or notification provided.
Our team has published a scanning app called FakeID Scanner, available on Google Play. This app will scan your device, and alert you if you installed an app that exploits this vulnerability.