Forgot your password?
typodupeerror
Android Security

Android Update Lets Malware Bypass Digital Signature Check 85

Posted by timothy
from the just-sign-here-mr-lector dept.
msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."
This discussion has been archived. No new comments can be posted.

Android Update Lets Malware Bypass Digital Signature Check

Comments Filter:
  • by gnoshi (314933) on Wednesday July 03, 2013 @11:17PM (#44185229)

    It will be really interesting to see what this vulnerability is, on the 1st of August, since all that can be gathered from the press release is essentially:
    It is possible to change an APK without changing its signature, and Android will not notice. That does have big implications, but it isn't enough detail to say anything much more than "Oh, that's not good".

    • by Anonymous Coward on Wednesday July 03, 2013 @11:27PM (#44185289)

      Pffft... Like carriers push updates.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

      How is this any different if you side load apps on iOS devices?

      • by Anonymous Coward

        You need to tick the checkbox that allows sideloading. With this vulnerability you don't need to tick the checkbox.

        • by Namarrgon (105036)

          Actually, since Google have already patched the Play Store, it's still a safe channel. So you'd still have to sideload to risk being affected.

          • by Anonymous Coward

            Actually, since Google have already patched the Play Store, it's still a safe channel. So you'd still have to sideload to risk being affected.

            Yeah but you don't need to tick the check box that says "allow apps from unauthorized sources".

          • The problem is that Google get more an more app out of the play store (eg: GameCIH (memory editor), Rooting app...). Now it is hard to find these app, you need to go to shaddy places to sideload them. This is 'great' for security :(

          • by smash (1351)

            So by extension, if you want to remain safe, you need to revert the device back to functionality apple provides with iOS.

            Why do i want to run android again?

            • by Reapman (740286)

              there's a bigger difference betweent iOS and Android then just Sideloading. Change the default apps for email, maps, etc to whatever you want. Skin the UI. Make the choice and run a rooted custom version of Android. Different selection of handset sizes. Etc.

              If anything, Sideloading is pretty useless for the majority of users. Its the other things that people use generally that makes Android different.

            • by Namarrgon (105036)

              Because *you* consider the options and make the choice for yourself, instead of some corporation that doesn't know anything about your situation.

              If you don't trust yourself with that responsibility, then of course you're free to hand it to Apple instead.

      • Re: (Score:2, Informative)

        by tlhIngan (30335)

        So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

        How is this any different if you side load apps on iOS devices?

        Play store apps are safe NOW since Google was alerted to this in February and had a chance to update their scanners.

        But there's still plenty of ways of sideloading apps and who knows if they're sketchy? The problem is Android does not allow sideloading apps from certain alternative stores - it's either Play Store only or everyone.

        E.g., if you use A

      • So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

        How is this any different if you side load apps on iOS devices?

        [assuming iOS had the same vulnerability...]

        "Sideloading" from other stores is standard feature of Android. It's not with iOS. Thus this can hit ordinary users with standard Android phones. But not ordinary users with standard iOS.

        The step to iOS Jailbreaking is far more of a jump, and an awareness that it breaks security protection than changing a preferences option in Android.

        Furthermore, lets assume that in each case, the vulnerability is fixed with the next minor version of the OS. On iOS, the majority

    • by Anonymous Coward

      I'm sorry, but I have a hunch that anybody involved in the android modding community already knows what this "vulnerability" is. I just hope it's not what I think it is, cuz I like to mod my phone, and if they "fix" this, it puts an end to my hobby.

    • by complete loony (663508) <Jeremy@Lakeman.gmail@com> on Thursday July 04, 2013 @01:02AM (#44185735)

      APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

      Either way, you will still need to trick people into installing your version of the apk.

      • by Anonymous Coward

        APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

        Either way, you will still need to trick people into installing your version of the apk.

        My guess is this: android just checks the first files matching in the jar/zip for the names, but installs the files found last in the jar(or vice versa, zip files can have multiples of the same filename).

      • by julesh (229690)

        APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

        AIUI, at least part of the APK signature verification only happens when you first install the APK. If you modify the file on the data partition (for which you would require root access), you can actually change the code and android does not notice that it no longer has a valid signature. I have done this, years ago, on a Froyo install for a phone that was running on a very slow processor, in order to remove certain delays (e.g. animation of screen on/off, which was taking too long). Nothing ever noticed

    • It is possible to change an APK without changing its signature, and Android will not notice.

      Just don't forget to update your hosts file.

  • I wonder how many of these 'vulnerabilities' are intentional, and get patched only when caught. Obviously these contraptions are wide open

    • by Anonymous Coward on Thursday July 04, 2013 @12:36AM (#44185621)

      And thus we dispel one of the many myths of open source. F/OSS is not bad and proprietary software is not necessarily better in any way or any of that shit but the cold hard fact is that even if you have access to the source code this sort of thing is going to happen! Nobody is reading and understanding all the code in its entirety being assured that there are no vulnerabilities or backdoors, no matter how much the fossies like to believe it.

      I'm not advocating one way or the other, just sayin that whole argument about security because we have access to the sourcecode is rubbish.

      • by Agent ME (1411269)

        One of the things I've liked about open source is that it makes vulnerabilities more accessible. I mean that I like that from a user's point of view. If vulnerabilities are easier to discover, then it's easier for them to become publicized and fixed, especially if many vulnerabilities are discovered coincidentally by many groups. If vulnerabilities are hard to discover, then only someone spending all their time searching for vulnerabilities is likely to find it (as opposed to users or system administrators

  • Android fragmenting (Score:4, Interesting)

    by willthiswork89 (2885827) on Wednesday July 03, 2013 @11:24PM (#44185269)
    With all the fragmented versions of android, I sure hope that everyone(Verizon, att, etc) can get their heads out of their ass to get this patched. Im concerned for the people using these things for business, but consumers could be affected majorly too. I guess we can't be sure exactly how bad of an issue this is until the first though.
    • by ADRA (37398) on Thursday July 04, 2013 @12:42AM (#44185649)

      Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.

      • by gl4ss (559668)

        Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.

        I don't know about that.. 3d printers are pretty popular nowadays.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Patches? Hahahahahahaha

      I'm pretty sure my carrier forgot my phone model existed the moment they sold it to me. It's a buggy piece of shit that hasn't ever gotten any patches.

  • by JThundley (631154) on Thursday July 04, 2013 @12:22AM (#44185569) Homepage

    If Google were competent they would have shipped Android with a modified HOSTS FILE. Hosts files can protect you from APK modification and cubic time bastards.

  • Ah, Java... (Score:2, Insightful)

    by Anonymous Coward

    ...write once, zero-day everywhere!

  • how dare anyone post anything security related about it. linux is secure, and apple's locking down of the device is evil. etc.

It is surely a great calamity for a human being to have no obsessions. - Robert Bly

Working...