Android gets Attacked: Breaking Cryptographic Singnatures

The weakened Android apps allow hackers to break signatures

Android’s vulnerability has affected more than a million devices allowing attackers to turn reliable apps into Trojan programs.   The Android app records digital signatures of applications and installs it into a sandbox when created.  The updates for the app are cryptographically signed by the same author in order to verify that they haven’t been adjusted.  Researchers from the mobile security association Bluebox Security released the threat of the vulnerability that verifies digital signatures from the Android and allows attackers to modify them without breaking the signature code.  This has apparently been going on for the past four years!

 

Infected Android Apps

Tricky Tricky

Android’s record digital signatures to match other signatures so it can verify that they came from the same author.  The Android security model ensures sensitive data is being stored by an application in its sandbox can be accessed by the latest versions of that application that are signed with the primary author’s key.  So the attackers add malicious code to the already signed APKs and it doesn’t break their signatures.

The Android security model safeguards the susceptible data stored by one application in its sandbox and can only be viewed by new versions of that application that are signed with the author’s archetypal key.  The transparency of the Bluebox allows assailants to gain full access and manipulate signatures then using them for distributing Trojan apps, sending them via email, uploading them to a third-party app store, hosting them on any website, and copying them to the intended devises via USBs.

Pau Oliva Fora, a mobile security engineer who works at security firm ViaForensics, developed a proof-of concept Linux shell script that can be benefited by modifying an app in a way that exploits the flaw. This code operates with the APKTool program and was released this past Monday on Github.

 

“It’s a problem in the way Android handles APKs that have duplicate file names inside,” Oliva Fora said Tuesday via email. “The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK — the injected one that can contain the malicious payload and is not checked for signature at all.”

 

Response from Google

Google made changes to Google Play to make sure it detects apps modified and patches it up, sharing the information with device manufacturers.  Users who install applications from sources other than Google Play is known as sideloading, this is an action potentially vulnerable to being tampered with.  However, if an adversary manually installs malicious updates for an app, it will be replaced and the new version will no longer interact with the app store.

It’s confirmed that the third party device,  Samsung Galaxy S4, has the solution at bay.   Google is now working on arranging the Nexus devices, although nothing is completed.

The gradual distribution of patches in the Android ecosystem has been criticized by both security researchers and Android users.  Duo Security reported, the statics gathered through it’s X-Ray Android  poor assessment app, more than half of Android devices are vulnerable to at least one of the known Android security flaws.

It’s good to check the apps before you install them, do some research and look at the reviews.

 

References:

Vulnerability allows attackers to modify Android apps without breaking their signatures – C World
http://www.pcworld.com/article/2043610/vulnerability-allows-attackers-to-modify-android-apps-without-breaking-their-signatures.html
July 3, 2013

Proof-of-concept exploit available for Android app signature check vulnerability – ComputerWorld
http://www.computerworld.com/s/article/9240645/Proof_of_concept_exploit_available_for_Android_app_signature_check_vulnerability
July 9, 2013

Researchers find another Android attack that can get past signature checks – InfoWorld
http://www.infoworld.com/d/mobile-technology/researchers-find-another-android-attack-can-get-past-signature-checks-222532
July 11, 2013

Quick & dirty PoC for Android bug 8219321 discovered by BlueboxSec – GitHub
https://gist.github.com/poliva/36b0795ab79ad6f14fd8
July 8, 2013

 

Image courtesy of [emptyglass] / FreeDigitalPhotos.net

Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet,  “Like” us on Facebook or add us to your circle on Google+.

This entry was posted in Computer Security, malware and tagged , , , , .
Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

© 2014 Hyphenet, Inc.
1761 Hotel Circle S, Suite 350, San Diego, CA 92108

All rights reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.

Hyphenet IT Security Blog located at 1761 Hotel Circle South, Suite 350 , San Diego, CA . Reviewed by 91 customers rated: 3.8 / 5