Revealed – A Flaw Which Allows Hackers To Modify Apps Without Changing Signatures In Android
Bluebox Security, a mobile security startup firm, has revealed a vulnerability that has existed in Android for the past four years can allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data or take control of the OS.
Researchers from the firm found the flaw and now are planning to present it in great details at the Black Hat USA security conference in Las Vegas later this month.
The vulnerability was found in the cryptographic verification of android application packages (apk). The vulnerability allows the attacker to modify the content of the APKs without breaking the cryptographic signatures. The flaw has existed since at least Android 1.6, code named Donut, which means all the devices developed since then may be infected with it.
On android, whenever an app is installed and a sandbox is created for it, Android records the application’s digital signature, said Bluebox Chief Technology Officer Jeff Forristal. All subsequent updates for that application need to match its signature in order to verify that they came from the same author, he said.
This is important for android security model as it make sure that data stored by one application in the sandbox is accessed by the new versions of the application carrying the original author’s key. The vulnerability identified by the Bluebox researchers effectively allows attackers to add malicious code to already signed APKs without breaking their signatures.
“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet,” they said.
“You can update system components if the update has the same signature as the platform,” Forristal said. The malicious code would then gain access to everything—all applications, data, accounts, passwords and networks. It would basically control the whole device, he said.
Attackers may use this flaw to deploy a variety of methods to distribute such Trojan apps, including sending them via email, uploading them to a third-party app store, hosting them on any website, copying them to the targeted devices via USB and more.
Google has responded to this research, here is the Google’s response :
“Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store’s application entry process in order to block apps that contain this problem,” Forristal said.
“The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem,” he further added
However, if an attacker tricks a user to manually install a malicious update for an app originally installed through Google Play, the app will be replaced and the new version will no longer interact with the app store. That’s the case for all applications or new versions of applications, malicious or non-malicious, that are not installed through Google Play, Forristal said.
Google was notified of the vulnerability in February and the company shared the information with their partners, including the members of the Open Handset Alliance, at the beginning of March, Forristal said. It is now up to those partners to decide what their update release plans will be, he said.