Researchers find another Android attack that can get past signature checks
The vulnerability allows attackers to modify legitimate Android apps without breaking their digital signatures
IDG News Service - A second vulnerability that can be exploited to modify Android apps without breaking their digital signatures has been identified and publicly documented.
Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post.
The flaw is different from the so-called "masterkey" vulnerability announced last Wednesday by researchers from mobile security firm Bluebox Security, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures.
Android records the digital signature of an application when it is first installed and a sandbox is created for it. All subsequent updates for that application need to be cryptographically signed by the same author in order to verify that they haven't been tampered with.
Being able to modify legitimately signed apps means that attackers can trick users into installing fake updates for their already installed applications that would get access to all the potentially sensitive data stored by those applications. If the targeted applications are system apps, such as those pre-installed by device manufacturers, the malicious code in the rogue updates can even be executed with system privileges.
"It is a different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at security firm ViaForensics, said Thursday via email. Earlier this week, Oliva Fora created a proof-of-concept exploit for the signature check bypass issue that Bluebox discovered.
The researcher didn't have time to create a similar exploit for the new issue, but he reviewed the technical details.
The new vulnerability allows attackers to inject code into particular files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process, he said. The files that can be modified are called classes.dex, but in order for the attack to work, the size of the targeted files needs to be under 64KB, which somewhat limits the attack.
This type of rogue APK modification is easy to detect, but the detection method is different than for apps modified to exploit the previously disclosed vulnerability, Oliva Fora said.
The method described in the Chinese language blog post is plausible and credible and has the same impact as the original Android "masterkey" vulnerability found by Bluebox researchers, said Jeff Forristal, the chief technology officer of Bluebox Security, via email on Thursday. "However, Bluebox is aware of a slightly different, more comprehensive method with less constraints than the one technically illustrated in that blog post."
That more comprehensive method was disclosed by Bluebox to Google, and a patch has already been released, he said. "Applying the released AOSP [Android Open Source Project] patch will protect against either method."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts