Revealed – A Flaw Which Allows Hackers To Modify Apps Without Changing Signatures In Android
Bluebox Security, a mobile security startup firm, has revealed a vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from the firm found the flaw and now are planning to present it in great details at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability was found in the cryptographic verification of android application packages (apk). The vulnerability allows the attacker to modify the content of the APKs without breaking the cryptographic signatures. The flaw has existed since at least Android 1.6, code named Donut, which means all the devices developed since then may be infected with it.
On android, whenever an app is installed and a sandbox is created for it, Android records the application’s digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for android security model as it make sure that data stored by one application in the sandbox is accessed by the new versions of the application carrying the original author’s key. The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” they said.
“You can update system components if the update has the same signature as the platform,” Forristal said. The malicious code would then gain access to everything—all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers may use this flaw to deploy a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more. If you suspect your mobile phone has been hacked check out this post from Citizen Journal.
Google has responded to this research, here is the Google’s response :
“Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store’s application entry process in order to block apps that contain this problem,” Forristal said.
“The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem,” he further added
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That’s the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Make an app for your business using android app builder from Appy Pie. Learn more at https://www.appypie.com/
Related Articles
- Top Resume Design Templates to Get Hired
- How to add a signature in Outlook? [Top Outlook Integrations with Appy Pie Connect]
- How to Automate Event Management to Streamline Event Planning Processes?
- How to make a WordPress website for free?
- Revealed – A Flaw Which Allows Hackers To Modify Apps Without Changing Signatures In Android
- How to choose a profitable business niche?
- 브라질**
- Google Contacts Backup [How to back up my contacts to Google Contacts?]
- Top eCommerce Integrations for Your Online Store
- Top Tips for Image Optimization
Most Popular Posts
- How to Create an Android App [A Guide to Creating Android Apps in 2024]
By Deepak Joshi | December 21, 2023
- How To: Pass Data Between View Controllers in Swift
By Abhinav Girdhar | October 19, 2023
- How to Download Music From Spotify?
By Samarpit Nasa | October 18, 2023
- Instagram Hashtags – A Complete Guide with Ideas
By Aasif Khan | October 17, 2023
- How to Watch the Star Wars Movies in Order: A Journey through the Galaxy Far, Far Away
By Samarpit Nasa | October 16, 2023