Friday, July 12, 2013

Android gets Attacked: Breaking Cryptographic Singnatures

The weakened Android apps allow hackers to break signatures

Android's vulnerability has affected more than a million devices allowing attackers to turn reliable apps into Trojan programs.   The Android app records digital signatures of applications and installs it into a sandbox when created.  The updates for the app are cryptographically signed by the same author in order to verify that they haven't been adjusted.  Researchers from the mobile security association Bluebox Security released the threat of the vulnerability that verifies digital signatures from the Android and allows attackers to modify them without breaking the signature code.  This has apparently been going on for the past four years!

Infected Android Apps

Tricky Tricky

Android's record digital signatures to match other signatures so it can verify that they came from the same author.  The Android security model ensures sensitive data is being stored by an application in its sandbox can be accessed by the latest versions of that application that are signed with the primary author's key.  So the attackers add malicious code to the already signed APKs and it doesn't break their signatures.

The Android security model safeguards the susceptible data stored by one application in its sandbox and can only be viewed by new versions of that application that are signed with the author's archetypal key.  The transparency of the Bluebox allows assailants to gain full access and manipulate signatures then using them for distributing Trojan apps, sending them via email, uploading them to a third-party app store, hosting them on any website, and copying them to the intended devises via USBs.

Pau Oliva Fora, a mobile security engineer who works at security firm ViaForensics, developed a proof-of concept Linux shell script that can be benefited by modifying an app in a way that exploits the flaw. This code operates with the APKTool program and was released this past Monday on Github.

"It's a problem in the way Android handles APKs that have duplicate file names inside," Oliva Fora said Tuesday via email. "The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK -- the injected one that can contain the malicious payload and is not checked for signature at all."

Response from Google

Google made changes to Google Play to make sure it detects apps modified and patches it up, sharing the information with device manufacturers.  Users who install applications from sources other than Google Play is known as sideloading, this is an action potentially vulnerable to being tampered with.  However, if an adversary manually installs malicious updates for an app, it will be replaced and the new version will no longer interact with the app store.

It's confirmed that the third party device,  Samsung Galaxy S4, has the solution at bay.   Google is now working on arranging the Nexus devices, although nothing is completed.

The gradual distribution of patches in the Android ecosystem has been criticized by both security researchers and Android users.  Duo Security reported, the statics gathered through it's X-Ray Android  poor assessment app, more than half of Android devices are vulnerable to at least one of the known Android security flaws.

It's good to check the apps before you install them, do some research and look at the reviews.

Please visit for more blog posts on the latest technology and IT security news.


Vulnerability allows attackers to modify Android apps without breaking their signatures - C World
July 3, 2013

Proof-of-concept exploit available for Android app signature check vulnerability - ComputerWorld
July 9, 2013

Researchers find another Android attack that can get past signature checks - InfoWorld
July 11, 2013

Quick & dirty PoC for Android bug 8219321 discovered by BlueboxSec - GitHub
July 8, 2013

Image courtesy of [emptyglass] /

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

No comments:

Post a Comment