Researchers find another Android attack that can get past signature checks

The vulnerability allows attackers to modify legitimate Android apps without breaking their digital signatures

A second vulnerability that can be exploited to modify legitimate Android apps without breaking their digital signatures has been identified and publicly documented.

Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post.

The flaw is different from the so-called "masterkey" vulnerability announced last Wednesday by researchers from mobile security firm Bluebox Security, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures.

Android records the digital signature of an application when it is first installed and a sandbox is created for it. All subsequent updates for that application need to be cryptographically signed by the same author in order to verify that they haven't been tampered with.

Being able to modify legitimately signed apps means that attackers can trick users into installing fake updates for their already installed applications that would get access to all the potentially sensitive data stored by those applications. If the targeted applications are system apps, such as those pre-installed by device manufacturers, the malicious code in the rogue updates can even be executed with system privileges.

"It is a different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at security firm ViaForensics, said Thursday via email. Earlier this week, Oliva Fora created a proof-of-concept exploit for the signature check bypass issue that Bluebox discovered.

The researcher didn't have time to create a similar exploit for the new issue, but he reviewed the technical details.

The new vulnerability allows attackers to inject code into particular files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process, he said. The files that can be modified are called classes.dex, but in order for the attack to work, the size of the targeted files needs to be under 64KB, which somewhat limits the attack.

This type of rogue APK modification is easy to detect, but the detection method is different than for apps modified to exploit the previously disclosed vulnerability, Oliva Fora said.

The method described in the Chinese language blog post is plausible and credible and has the same impact as the original Android "masterkey" vulnerability found by Bluebox researchers, said Jeff Forristal, the chief technology officer of Bluebox Security, via email on Thursday. "However, Bluebox is aware of a slightly different, more comprehensive method with less constraints than the one technically illustrated in that blog post."

That more comprehensive method was disclosed by Bluebox to Google, and a patch has already been released, he said. "Applying the released AOSP [Android Open Source Project] patch will protect against either method."

Technical details about the issue are currently being withheld in order to allow device manufacturers enough time to release new firmware versions containing the patch.

Information shared by Google with Bluebox Security suggests that Google Play can detect apps that attempt to exploit the new vulnerability, Forristal said. However, Bluebox has not performed any tests in order to confirm this, he said.

Google declined to comment on the matter.

Vulnerabilities that allow legitimate APKs to be modified without failing Android's digital signature checks could present benefits for cybercriminals. Attempting to pass malicious apps as popular games and other well-known applications has long been a technique used by Android malware authors to distribute their creations.

Some of the devices affected by this vulnerability will most likely never receive a patch because they've reached end of support. However, if Google Play already detects such exploits, users who don't install apps from alternative sources such as third-party app stores should be protected.

Join the CSO newsletter!

Error: Please check your email address.

Tags viaForensicsBluebox SecurityAndroid OSGooglesecuritymobile securitymobilemalwaremobile applications

More about Googlesina.com

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place