Google fixes APK nightmare-waiting-to-happen, sends patch to partners

Jul 11, 2013 by Nancy Owano weblog

( —As if Android was not getting enough press about exploit opportunities, a Bluebox Security expert let the world know earlier this month that its security team discovered a Master Key vulnerability where hackers could sidestep app verification and install Trojans that can sail through verification without any problems. With this exploit, a hacker can modify a normal Android application package file (APK) without having to break the app's cryptographic signature. That's the ticket. The signature break would have sent off red flags. (Explains Threatpost: Applications are digitally signed to establish or confirm the identity of the developer and the signatures make sure that future updates come from only the developer of the application.)

In his blog, Jeff Forristal, CTO of San Francisco-based Bluebox, wrote: "The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android's security model that allows a to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user."

The vulnerability could affect nearly 900 million devices—any Android phone released in the last four years.
What's more, Bluebox Security was able to modify an Android device manufacturer's application, he said, to the point where the team had access to all permissions on the device. These might be troubling implications for a vulnerability capable of affecting 900 million devices, especially at a time when BYOD policies are not uncommon in some businesses.

All this can be viewed as much ado about something or might pan out to be much noise about nothing, because Google addressed the problem in a number of ways. Google updated Google Play, to provide checks that can block malicious attempts, so that any Android device user, by sticking to the Google Play area if intending to install any app or update, would not be at risk. Also, according to reports, the latest version of Android, has a built-in app-scanning system to check on apps coming from sources other than Google Play and a phone could block malicious code.

Google, meanwhile, has issued a patch to its hardware partners in the Open Handset Alliance. Manufacturers and carriers need to push it out to end users. Users who are unsure about their device models could check with the manufacture or mobile carrier. Google's Gina Scigliano, Android Communications Manager, said a patch was provided to partners and that some OEMs such as Samsung were shipping the fix to the Android devices.

Forristal said more details about the Android vulnerability will be made known during the Black Hat USA 2013 event in Las Vegas which opens on July 27. His presentation is described as a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013.

"The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access and control."
He will tell how the was located, and the created. "Working PoCs for major Android device vendors will be made available to coincide with the presentation," according to the blurb.

Explore further: Bluebox Security reveals Android vulnerability in run up to Blackhat convention

More information:

Related Stories

Google rolls its own keyboard app for Android 4.0 and up

Jun 06, 2013

( —Google Maps, Google Drive, Google This, Google That….But there is always room for one more new arrival from Google, and now it is in the form of an app called Google Keyboard. Available at ...

Researchers ID 'smishing' vulnerability in Android

Nov 05, 2012

(—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by ...

Android users get malware with their apps

Mar 02, 2011

( -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was ...

Recommended for you

Review: 'Hearthstone' card game is the real deal

4 hours ago

Video game publishers don't take many risks with their most popular franchises. You know exactly what you are going to get from a new "Call of Duty" or "Madden NFL" game—it will probably be pretty good, ...

Microsoft expands ad-free Bing search for schools

Apr 23, 2014

Microsoft is expanding a program that gives schools the ability to prevent ads from appearing in search results when they use its Bing search engine. The program, launched in a pilot program earlier this year, is now available ...

Growing app industry has developers racing to keep up

Apr 20, 2014

Smartphone application developers say they are challenged by the glut of apps as well as the need to update their software to keep up with evolving phone technology, making creative pricing strategies essential to finding ...

Android gains in US, basic phones almost extinct

Apr 18, 2014

The Google Android platform grabbed the majority of mobile phones in the US market in early 2014, as consumers all but abandoned non-smartphone handsets, a survey showed Friday.

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jul 12, 2013
Does this mean that this exploit can be used to "root" an Android phone via operating the app. If so, then it has a useful side.

More news stories

Facebook buys fitness app Moves

Facebook has bought the fitness app Moves, which helps users monitor daily physical activity and their calorie counts on a smartphone.

Cell resiliency surprises scientists

New research shows that cells are more resilient in taking care of their DNA than scientists originally thought. Even when missing critical components, cells can adapt and make copies of their DNA in an alternative ...