Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Android Security

Android Update Lets Malware Bypass Digital Signature Check 85

Posted by timothy from the just-sign-here-mr-lector dept.
msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."
This discussion has been archived. No new comments can be posted.

Android Update Lets Malware Bypass Digital Signature Check More

Android Update Lets Malware Bypass Digital Signature Check

Comments Filter:

  • Re:Looking forward to 1st August (Score:5, Informative)

    by complete loony ( 663508 ) <Jeremy@Lakeman.gmail@com> on Thursday July 04, 2013 @01:02AM (#44185735)

    APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

    Either way, you will still need to trick people into installing your version of the apk.

  • Re:Looking forward to 1st August (Score:2, Informative)

    by tlhIngan ( 30335 ) <slashdot.worf@net> on Thursday July 04, 2013 @01:35AM (#44185871)

    So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

    How is this any different if you side load apps on iOS devices?

    Play store apps are safe NOW since Google was alerted to this in February and had a chance to update their scanners.

    But there's still plenty of ways of sideloading apps and who knows if they're sketchy? The problem is Android does not allow sideloading apps from certain alternative stores - it's either Play Store only or everyone.

    E.g., if you use Amazon, Humble Bundle, your "Allow non-Play store apps" checkbox is checked and you're vulnerable to sketchy APKs.

    And APKs can be installed without your knowing - there exist several lockscreen hacks for many phones that let you get enough access to install a lockscreen bypass app from the Play store. Someone doing that can install their sketchy app and then reset your phone back to normal.

    And you can't sideload iOS apps - they must come through the App Store. The only way is to either jailbreak, or install a developer certificate provisioning file that lets you install developer-signed apps. Or enterprise signed apps. Unlike Android, most iOS users don't have these installed, though if you can bypass the lock screen, you can install it. (Though since these certs are signed by Apple, Apple could revoke them if that's their use).

  • Re:Looking forward to 1st August (Score:5, Informative)

    by mmurphy000 ( 556983 ) on Thursday July 04, 2013 @06:59AM (#44186827)
    Quoting Andy Fadden, an Android systems engineer, from his recent StackOverflow answer on this subject [stackoverflow.com]:

    The assumption is that, if an attacker is able to replace a .odex file, they have sufficient permission to do any number of other things.

Slashdot Top Deals

You knew the job was dangerous when you took it, Fred. -- Superchicken

Close