The details of the Android vulnerability that enables an attacker to create a malicious update to an APK file without breaking its cryptographic signature have become public but it appears as though Google will have a patch ready for the flaw by the time it’s fully disclosed early next month.

The vulnerability involves the way that Android handles integrity checks on APK files and enables an attacker to create two versions of a given file with the same name, one that is benign and will pass the signature check and another that contains exploit code. The two files can be combined in one zip file in such a way that the benign one will be used when the device checks the signature on it and then the malicious one will be loaded onto the device.

Bluebox Security, which discovered the vulnerability and released some information on it last week, has been working with Google to coordinate the disclosure of the full details of the bug. The company is planning to discuss the vulnerability in a talk at the Black Hat conference in Las Vegas later this month, but Jeff Forristal, the company’s CTO, said that it has been waiting for Google to patch the vulnerability for several months now.

“Google initially indicated a 90 day window prior to releasing the patch to AOSP plus releasing firmware fixes for Nexus devices (which would be approximately the beginning of June).  The last communication from Google indicated they will have the patch released by the time of my Blackhat presentation, Aug 1.  Other vendors have already started releasing updated firmware for devices; fixes are in the ecosystem,” Forristal said via email.

Android users are dependent upon their carriers for software patches and each carrier has its own timeline for releasing updates.

The details of the Android vulnerability began to come into focus over the weekend when the maintainers of CyanogenMod published details of a bug they were patching, which lined up with the Bluebox advisory. On Monday Al Sutton, an Android specialist and founder of Funky Android Ltd. in the UK, posted a summary of the vulnerability and the behavior that could be used to exploit it. Discussing the effect of the vulnerability last week, Forristal said that it gave an attacker a reliable method for getting executable code onto any vulnerable Android device, which is hundreds of millions of devices going back to Android 1.6.

“We are able to modify executing code in the APK that is installed. That is normally a red flag because that would break the signature,” Forristal said. “We can do it by not breaking the signature. We have the ability to update any application on a phone and get access to data. We can make a malicious Facebook update by inserting Trojan code into a real one without breaking Facebook’s signature.”

In addition to the vulnerability details becoming public, there also is a proof-of-concept exploit tool available for the bug.

Image from Flickr photos of Kham Tran

Categories: Mobile Security, Vulnerabilities