Revealed – A Flaw Which Allows Hackers To Modify Apps Without Changing Signatures In Android
Bluebox Security, a mobile security startup firm, has revealed a vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from the firm found the flaw and now are planning to present it in great details at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability was found in the cryptographic verification of android application packages (apk). The vulnerability allows the attacker to modify the content of the APKs without breaking the cryptographic signatures. The flaw has existed since at least Android 1.6, code named Donut, which means all the devices developed since then may be infected with it.
On android, whenever an app is installed and a sandbox is created for it, Android records the application’s digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for android security model as it make sure that data stored by one application in the sandbox is accessed by the new versions of the application carrying the original author’s key. The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” they said.
“You can update system components if the update has the same signature as the platform,” Forristal said. The malicious code would then gain access to everything—all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers may use this flaw to deploy a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more. If you suspect your mobile phone has been hacked check out this post from Citizen Journal.
Google has responded to this research, here is the Google’s response :
“Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store’s application entry process in order to block apps that contain this problem,” Forristal said.
“The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem,” he further added
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That’s the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.
Make an app for your business using android app builder from Appy Pie. Learn more at https://www.appypie.com/
- How to Make a Vision Board that actually Works?
- A Comprehensive Guide to Capturing & Organizing All Your Ideas
- How To Generate a Random Unique Identifier with UUID in Swift
- How to Make an App Like Craigslist?
- How RJs and DJs can grow their audience by going mobile?
- 20 Ways To Get Pre-Launch Users
- How to Create a Career Counselling Chatbot? (Step-by-Step Guide)
- Arrays in Swift Explained
- Direct Response Marketing Examples to Increase Engagement & Sales
- 8 Best Certification Courses for Freelancers
Most Popular Posts
- Is the era of Android nearing its end?
By Abhinav Girdhar | July 31, 2018
- How to Automate Your E-commerce Store with Salesforce and Shopify Integration
By Abhinav Girdhar | February 24, 2023
- Dictionaries in Swift Explained
By Aasif Khan | December 23, 2021
- How to Create a Storage App Like Dropbox and Development Costs?
By Snigdha | October 8, 2022
- 7 Free Apps to Help You Lose Weight When Gyms are Closed
By Abhinav Girdhar | May 24, 2020