Vulnerability allows attackers to modify Android apps without breaking their signatures

The vulnerability affects 99 percent of Android devices and has existed since Android 1.6, researchers from security firm Bluebox said

A vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.

Researchers from San Francisco mobile security startup firm Bluebox Security found the flaw and plan to present it in greater detail at the Black Hat USA security conference in Las Vegas later this month.

The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures.

When an application is installed and a sandbox is created for it, Android records the application's digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.

This is important for the Android security model because it ensures that sensitive data stored by one application in its sandbox can only be accessed by new versions of that application that are signed with the original author's key.

The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.

The vulnerability has existed since at least Android 1.6, code named Donut, which means that it potentially affects any Android device released during the last four years, the Bluebox researchers said Wednesday in a blog post.

"Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet," they said.

The vulnerability can also be exploited to gain full system access if the attacker modifies and distributes an app originally developed by the device manufacturer that's signed with the platform key -- the key that manufacturers use to sign the device firmware.

"You can update system components if the update has the same signature as the platform," Forristal said. The malicious code would then gain access to everything -- all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.

Attackers can use a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.

Some of these methods, especially the one involving third-party app stores, are already being used to distribute Android malware.

Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.

However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That's the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.

Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.

Forristal confirmed that one third party device, the Samsung Galaxy S4, already has the fix, which indicates that some device manufacturers have already started releasing patches. Google has not released patches for its Nexus devices yet, but the company is working on them, he said.

Google declined to comment on the matter and the Open Handset Alliance did not respond to a request for comment.

The availability of firmware updates for this issue will differ across device models, manufacturers and mobile carriers.

Whether a combination of device manufacturers and carriers, which play an important role in the distribution of updates, coincide to believe that there is justification for a firmware update is extremely variable and depends on their business needs, Forristal said. "Ideally it would be great if everyone, everywhere, would release an update for a security problem, but the practical reality is that it doesn't quite work that way, he said."

The slow distribution of patches in the Android ecosystem has long been criticized by both security researchers and Android users. Mobile security firm Duo Security estimated last September, based on statistics gathered through its X-Ray Android vulnerability assessment app, that more than half of Android devices are vulnerable to at least one of the known Android security flaws.

Judging by Android's patch distribution history so far, the vulnerability found by the Bluebox researchers will probably linger on many devices for a long time, especially since it likely affects a lot of models that have reached end-of-life and are no longer supported.

Join the CSO newsletter!

Error: Please check your email address.

Tags Duo SecurityBluebox SecuritymobilespywareExploits / vulnerabilitiesdata protectionmalwaremobile applicationssamsungAndroid OSGooglesecuritymobile securityAccess control and authentication

More about GalaxyGoogleSamsungTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place