Feeds

Pwn all the Androids, part II: Flaw in Java, hidden Trojan

Google pushes update but when will it land?

The Essential Guide to IT Transformation

Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.

The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here).

The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.

Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue.

The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. These backdoored apps would carry the same digital signature as undoctored copies of the APKs.

The Chinese discovery is a "different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at ViaForensics, told Computerworld. Oliva Fora put together a (harmless) proof-of-concept exploit based on the Bluebox vulnerability last week.

Pack RAT

Bluebox Security has avoided going into details prior to its upcoming Black Hat presentation on 1 August but the work of Oliva Fora and other security researchers has revealed that the current Android app security shenanigans stem from duplicate filename trickery in Android application installer files rather than something more esoteric, such as a hash collision.

Android installation packages are compressed in containers that work like ZIP archive files. Regular ZIP utilities generally prevent you from having two files with the name in one archive but the ZIP format itself doesn't preclude duplicated filenames - so with a bit of hacking and tweaking, you can fairly easily create a utility to build an archive with repeated filenames.

It's this behaviour that spawns the vulnerability discovered by Bluebox Security, explains anti-virus veteran Paul Ducklin in a post on Sophos' Naked Security blog.

"Android's cryptographic verifier validates the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version," Ducklin explains. "In other words, the APK passes its cryptographic tests at install time, even though what gets installed is bogus."

Chinese whispers

The Chinese vulnerability creates a means for miscreants to inject code into the headers of APKs without screwing with digital signatures. However the potential of the attack is limited because targeted files (of the type classes.dex) need to be smaller than 64K in size.

Google has already released a security fix to smartphone manufacturers covering both the Bluebox master key vulnerability and the flaw uncovered by the Chinese researchers, according to a statement from Jeff Forristal, CTO of Bluebox, received in response to our inquiries into the issue.

Bluebox had already sent disclosure to Google regarding the additional vulnerability discovered, prior to it being publicized in the referenced blog post. A (second) patch has already been released publicly (AOSP, Android Open Source Project) & to Google partners, although it is a bit too early to expect partners to have firmware updates containing the second patch ready for devices. A statement from Google indicates they scan for this vulnerability too in the Google Play Store, but Bluebox has not verified that statement.

Google has yet to respond to The Register's request for a comment on the vuln, so it remains unconfirmed whether or not Mountain View scans for modified applications that exploit either of the two vulnerabilities in its official Google Play store. Effective scanning would be little more complex than looking for duplicate filenames in APK files.

Stay away from those third-party apps

Google recently banned Google Play Store apps from updating outside the Play update mechanisms, as tech analysis blog GigaOM was among the first to note, so at least some protection is already in place.

Filters on Google Play don't do much to help users who install Android apps from third-party stores, of course.

Consumers and business users of Android devices won't really be protected until manufacturers roll out the Android software updates. Samsung is already pushing out a patch but other OEMs might be slower to react - and the whole process might take weeks, if not months.

Bluebox reckons 99 per cent of Android devices are vulnerable to the master key flaw. And that's without even considering devices out there that are still in use but no longer supported.

Almost all Android devices are vulnerable, since the vulnerability has existed since Android 1.6 (Donut), and only the Samsung Galaxy S4 has been patched to protect against it, Trend Micro warns.

A blog post by Trend providing an additional perspective on the problem, and taking issue with Bluebox's description of it as a master key vulnerability, can be found here.

"This vulnerability can be used to replace legitimate apps on an Android device with malicious versions," explains Jonathan Leopando, a member of Trend's technical communications team. "Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

"Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanised app for a bank would continue to work for the user, but the credentials would have been sent to an attacker," he adds. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.