Researchers find another Android attack that can get past signature checks

The vulnerability allows attackers to modify legitimate Android apps without breaking their digital signatures

A second vulnerability that can be exploited to modify legitimate Android apps without breaking their digital signatures has been identified and publicly documented.

Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post.

The flaw is different from the so-called "masterkey" vulnerability announced last Wednesday by researchers from mobile security firm Bluebox Security, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures.

Android records the digital signature of an application when it is first installed and a sandbox is created for it. All subsequent updates for that application need to be cryptographically signed by the same author in order to verify that they haven't been tampered with.

Being able to modify legitimately signed apps means that attackers can trick users into installing fake updates for their already installed applications that would get access to all the potentially sensitive data stored by those applications. If the targeted applications are system apps, such as those pre-installed by device manufacturers, the malicious code in the rogue updates can even be executed with system privileges.

"It is a different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at security firm ViaForensics, said Thursday via email. Earlier this week, Oliva Fora created a proof-of-concept exploit for the signature check bypass issue that Bluebox discovered.

The researcher didn't have time to create a similar exploit for the new issue, but he reviewed the technical details.

The new vulnerability allows attackers to inject code into particular files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process, he said. The files that can be modified are called classes.dex, but in order for the attack to work, the size of the targeted files needs to be under 64KB, which somewhat limits the attack.

This type of rogue APK modification is easy to detect, but the detection method is different than for apps modified to exploit the previously disclosed vulnerability, Oliva Fora said.

The method described in the Chinese language blog post is plausible and credible and has the same impact as the original Android "masterkey" vulnerability found by Bluebox researchers, said Jeff Forristal, the chief technology officer of Bluebox Security, via email on Thursday. "However, Bluebox is aware of a slightly different, more comprehensive method with less constraints than the one technically illustrated in that blog post."

That more comprehensive method was disclosed by Bluebox to Google, and a patch has already been released, he said. "Applying the released AOSP [Android Open Source Project] patch will protect against either method."

Technical details about the issue are currently being withheld in order to allow device manufacturers enough time to release new firmware versions containing the patch.

Information shared by Google with Bluebox Security suggests that Google Play can detect apps that attempt to exploit the new vulnerability, Forristal said. However, Bluebox has not performed any tests in order to confirm this, he said.

Google declined to comment on the matter.

Vulnerabilities that allow legitimate APKs to be modified without failing Android's digital signature checks could present benefits for cybercriminals. Attempting to pass malicious apps as popular games and other well-known applications has long been a technique used by Android malware authors to distribute their creations.

Some of the devices affected by this vulnerability will most likely never receive a patch because they've reached end of support. However, if Google Play already detects such exploits, users who don't install apps from alternative sources such as third-party app stores should be protected.

Join the PC World newsletter!

Error: Please check your email address.

Tags viaForensicsBluebox SecurityAndroid OSGooglesecuritymobile securitymobilemalwaremobile applications

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?