Google fixes APK nightmare-waiting-to-happen, sends patch to partners

July 11, 2013 by Nancy Owano weblog

( —As if Android was not getting enough press about exploit opportunities, a Bluebox Security expert let the world know earlier this month that its security team discovered a Master Key vulnerability where hackers could sidestep app verification and install Trojans that can sail through verification without any problems. With this exploit, a hacker can modify a normal Android application package file (APK) without having to break the app's cryptographic signature. That's the ticket. The signature break would have sent off red flags. (Explains Threatpost: Applications are digitally signed to establish or confirm the identity of the developer and the signatures make sure that future updates come from only the developer of the application.)

In his blog, Jeff Forristal, CTO of San Francisco-based Bluebox, wrote: "The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android's security model that allows a to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user."

The vulnerability could affect nearly 900 million devices—any Android phone released in the last four years.
What's more, Bluebox Security was able to modify an Android device manufacturer's application, he said, to the point where the team had access to all permissions on the device. These might be troubling implications for a vulnerability capable of affecting 900 million devices, especially at a time when BYOD policies are not uncommon in some businesses.

All this can be viewed as much ado about something or might pan out to be much noise about nothing, because Google addressed the problem in a number of ways. Google updated Google Play, to provide checks that can block malicious attempts, so that any Android device user, by sticking to the Google Play area if intending to install any app or update, would not be at risk. Also, according to reports, the latest version of Android, has a built-in app-scanning system to check on apps coming from sources other than Google Play and a phone could block malicious code.

Google, meanwhile, has issued a patch to its hardware partners in the Open Handset Alliance. Manufacturers and carriers need to push it out to end users. Users who are unsure about their device models could check with the manufacture or mobile carrier. Google's Gina Scigliano, Android Communications Manager, said a patch was provided to partners and that some OEMs such as Samsung were shipping the fix to the Android devices.

Forristal said more details about the Android vulnerability will be made known during the Black Hat USA 2013 event in Las Vegas which opens on July 27. His presentation is described as a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013.

"The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access and control."
He will tell how the was located, and the created. "Working PoCs for major Android device vendors will be made available to coincide with the presentation," according to the blurb.

Explore further: Android users get malware with their apps

More information:

Related Stories

Android users get malware with their apps

March 2, 2011

( -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was forced to removed ...

Researchers ID 'smishing' vulnerability in Android

November 5, 2012

(—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by Google, and will ...

Google rolls its own keyboard app for Android 4.0 and up

June 6, 2013

( —Google Maps, Google Drive, Google This, Google That….But there is always room for one more new arrival from Google, and now it is in the form of an app called Google Keyboard. Available at the Google Play ...

Recommended for you

Battery technology could charge up water desalination

February 4, 2016

The technology that charges batteries for electronic devices could provide fresh water from salty seas, says a new study by University of Illinois engineers. Electricity running through a salt water-filled battery draws the ...

Researchers find vulnerability in two-factor authentication

February 3, 2016

Two-factor authentication is a computer security measure used by major online service providers to protect the identify of users in the event of a password loss. The process is familiar: When a password is forgotten, the ...

EU and US reach new data-sharing agreement

February 2, 2016

The European Union and the United States struck a deal Tuesday over data-sharing that will allow the likes of Facebook and Apple to continue sending people's information across the Atlantic—but a legal challenge to the ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jul 12, 2013
Does this mean that this exploit can be used to "root" an Android phone via operating the app. If so, then it has a useful side.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.