Researchers find another Android attack that can get past signature checks

The vulnerability allows attackers to modify legitimate Android apps without breaking their digital signatures

A second vulnerability that can be exploited to modify legitimate Android apps without breaking their digital signatures has been identified and publicly documented.

Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post.

The flaw is different from the so-called "masterkey" vulnerability announced last Wednesday by researchers from mobile security firm Bluebox Security, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures.

Android records the digital signature of an application when it is first installed and a sandbox is created for it. All subsequent updates for that application need to be cryptographically signed by the same author in order to verify that they haven't been tampered with.

Being able to modify legitimately signed apps means that attackers can trick users into installing fake updates for their already installed applications that would get access to all the potentially sensitive data stored by those applications. If the targeted applications are system apps, such as those pre-installed by device manufacturers, the malicious code in the rogue updates can even be executed with system privileges.

"It is a different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at security firm ViaForensics, said Thursday via email. Earlier this week, Oliva Fora created a proof-of-concept exploit for the signature check bypass issue that Bluebox discovered.

The researcher didn't have time to create a similar exploit for the new issue, but he reviewed the technical details.

The new vulnerability allows attackers to inject code into particular files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process, he said. The files that can be modified are called classes.dex, but in order for the attack to work, the size of the targeted files needs to be under 64KB, which somewhat limits the attack.

This type of rogue APK modification is easy to detect, but the detection method is different than for apps modified to exploit the previously disclosed vulnerability, Oliva Fora said.

The method described in the Chinese language blog post is plausible and credible and has the same impact as the original Android "masterkey" vulnerability found by Bluebox researchers, said Jeff Forristal, the chief technology officer of Bluebox Security, via email on Thursday. "However, Bluebox is aware of a slightly different, more comprehensive method with less constraints than the one technically illustrated in that blog post."

That more comprehensive method was disclosed by Bluebox to Google, and a patch has already been released, he said. "Applying the released AOSP [Android Open Source Project] patch will protect against either method."

Technical details about the issue are currently being withheld in order to allow device manufacturers enough time to release new firmware versions containing the patch.

Information shared by Google with Bluebox Security suggests that Google Play can detect apps that attempt to exploit the new vulnerability, Forristal said. However, Bluebox has not performed any tests in order to confirm this, he said.

Google declined to comment on the matter.

Vulnerabilities that allow legitimate APKs to be modified without failing Android's digital signature checks could present benefits for cybercriminals. Attempting to pass malicious apps as popular games and other well-known applications has long been a technique used by Android malware authors to distribute their creations.

Some of the devices affected by this vulnerability will most likely never receive a patch because they've reached end of support. However, if Google Play already detects such exploits, users who don't install apps from alternative sources such as third-party app stores should be protected.

Tags Android OSBluebox SecurityviaForensicsGooglesecuritymobile securitymobilemalwaremobile applications

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?