The vulnerability occurs in the way Android conducts integrity checks on APK files. An attacker could store in a zip archive a benign and malicious version of the same file, give them the same file name, and the benign file will pass the signature check in Android, which enables the malicious modification to be added as well.
Chinese researchers posted a modification of the first attack reported last week. Their attack focuses on classes.dex apk files that are smaller than 64K, and by modifying an extra field length to 0xFFFD, they can fool the integrity check into loading a malicious payload.
Details on the vulnerability were made public a week ago after Bluebox Security researchers provided some high-level details on the flaw and promised to deliver more insight at the upcoming Black Hat Briefings in Las Vegas Aug. 1.
Google has already delivered a patch to some handset makers and carriers, and plans to patch the Android Open Source Project (AOSP) during Black Hat. However, as some versions of Android were patched, maintainers of CyanogenMod published details after reverse-engineering the patch. Funky Android founder Al Sutton published another summary shortly after the CyanogenMod details were publicized.
The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected.
“We are able to modify executing code in the APK that is installed. That is normally a red flag because that would break the signature,” BlueBox Security CTO Jeff Forristal told Threatpost. “We can do it by not breaking the signature. We have the ability to update any application on a phone and get access to data. We can make a malicious Facebook update by inserting Trojan code into a real one without breaking Facebook’s signature.
“The vulnerability is across generations and it’s architecture agnostic—it doesn’t matter,” Forristal said. “All you need basically is an app that is platform-signed, Trojan the code and take over the device.”
An attacker would be able to jailbreak an Android device, or worse, drop a program on the phone that would siphon corporate data such as email, make phone calls, send SMS messages, or even retrieve passwords and account information.
Forristall said the patch is two lines of code in a specific location of the Android code base, a simple fix. The complication is in getting handset makers and carriers to deliver the necessary firmware update. Google Play, the Android market, is patched and applications downloaded from the store are safe, Forristal said. In the meantime, users should be wary of downloading APK files from third parties.
“If you don’t know where the APK came from, it’s no different than grabbing .exes from the Net,” he said. “Make sure you’re not using apps from untrusted sources and stick to Google Play.”