Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post.
The flaw is different from the so-called “master key” vulnerability announced last Wednesday by researchers from mobile security firm Bluebox Security, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures.
Android records the digital signature of an application when it is first installed and a sandbox is created for it. All subsequent updates for that application need to be cryptographically signed by the same author in order to verify that they haven’t been tampered with.
Being able to modify legitimately signed apps means that attackers can trick users into installing fake updates for their already installed applications that would get access to all the potentially sensitive data stored by those applications. If the targeted applications are system apps, such as those pre-installed by device manufacturers, the malicious code in the rogue updates can even be executed with system privileges.
“It is a different approach to achieve the same goal as with the previous exploit,” Pau Oliva Fora, a mobile security engineer at security firm ViaForensics, said Thursday via email. Earlier this week, Oliva Fora created a proof-of-concept exploit for the signature check bypass issue that Bluebox discovered.
The researcher didn’t have time to create a similar exploit for the new issue, but he reviewed the technical details.
The new vulnerability allows attackers to inject code into particular files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process, he said. The files that can be modified are called classes.dex, but in order for the attack to work, the size of the targeted files needs to be under 64KB, which somewhat limits the attack.
This type of rogue APK modification is easy to detect, but the detection method is different than for apps modified to exploit the previously disclosed vulnerability, Oliva Fora said.
The method described in the Chinese language blog post is plausible and credible and has the same impact as the original Android “master key” vulnerability found by Bluebox researchers, said Jeff Forristal, the chief technology officer of Bluebox Security, via email on Thursday. “However, Bluebox is aware of a slightly different, more comprehensive method with less constraints than the one technically illustrated in that blog post.”
That more comprehensive method was disclosed by Bluebox to Google, and a patch has already been released, he said. “Applying the released AOSP [Android Open Source Project] patch will protect against either method.”
Technical details about the issue are currently being withheld in order to allow device manufacturers enough time to release new firmware versions containing the patch.
Information shared by Google with Bluebox Security suggests that Google Play can detect apps that attempt to exploit the new vulnerability, Forristal said. However, Bluebox has not performed any tests in order to confirm this, he said.
Google declined to comment on the matter.
Vulnerabilities that allow legitimate APKs to be modified without failing Android’s digital signature checks could present benefits for cyber-criminals. Attempting to pass malicious apps as popular games and other well-known applications has long been a technique used by Android malware authors to distribute their creations.
Some of the devices affected by this vulnerability will most likely never receive a patch because they’ve reached end of support. However, if Google Play already detects such exploits, users who don’t install apps from alternative sources such as third-party app stores should be protected.