Feeds

Pwn all the Androids, part II: Flaw in Java, hidden Trojan

Google pushes update but when will it land?

Internet Security Threat Report 2014

Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.

The flaw, discovered by the "Android Security Squad", stems from a Java-based issue (explained on a Chinese language blog here, Google translation here).

The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.

Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue.

The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. These backdoored apps would carry the same digital signature as undoctored copies of the APKs.

The Chinese discovery is a "different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at ViaForensics, told Computerworld. Oliva Fora put together a (harmless) proof-of-concept exploit based on the Bluebox vulnerability last week.

Pack RAT

Bluebox Security has avoided going into details prior to its upcoming Black Hat presentation on 1 August but the work of Oliva Fora and other security researchers has revealed that the current Android app security shenanigans stem from duplicate filename trickery in Android application installer files rather than something more esoteric, such as a hash collision.

Android installation packages are compressed in containers that work like ZIP archive files. Regular ZIP utilities generally prevent you from having two files with the name in one archive but the ZIP format itself doesn't preclude duplicated filenames - so with a bit of hacking and tweaking, you can fairly easily create a utility to build an archive with repeated filenames.

It's this behaviour that spawns the vulnerability discovered by Bluebox Security, explains anti-virus veteran Paul Ducklin in a post on Sophos' Naked Security blog.

"Android's cryptographic verifier validates the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version," Ducklin explains. "In other words, the APK passes its cryptographic tests at install time, even though what gets installed is bogus."

Chinese whispers

The Chinese vulnerability creates a means for miscreants to inject code into the headers of APKs without screwing with digital signatures. However the potential of the attack is limited because targeted files (of the type classes.dex) need to be smaller than 64K in size.

Google has already released a security fix to smartphone manufacturers covering both the Bluebox master key vulnerability and the flaw uncovered by the Chinese researchers, according to a statement from Jeff Forristal, CTO of Bluebox, received in response to our inquiries into the issue.

Bluebox had already sent disclosure to Google regarding the additional vulnerability discovered, prior to it being publicized in the referenced blog post. A (second) patch has already been released publicly (AOSP, Android Open Source Project) & to Google partners, although it is a bit too early to expect partners to have firmware updates containing the second patch ready for devices. A statement from Google indicates they scan for this vulnerability too in the Google Play Store, but Bluebox has not verified that statement.

Google has yet to respond to The Register's request for a comment on the vuln, so it remains unconfirmed whether or not Mountain View scans for modified applications that exploit either of the two vulnerabilities in its official Google Play store. Effective scanning would be little more complex than looking for duplicate filenames in APK files.

Stay away from those third-party apps

Google recently banned Google Play Store apps from updating outside the Play update mechanisms, as tech analysis blog GigaOM was among the first to note, so at least some protection is already in place.

Filters on Google Play don't do much to help users who install Android apps from third-party stores, of course.

Consumers and business users of Android devices won't really be protected until manufacturers roll out the Android software updates. Samsung is already pushing out a patch but other OEMs might be slower to react - and the whole process might take weeks, if not months.

Bluebox reckons 99 per cent of Android devices are vulnerable to the master key flaw. And that's without even considering devices out there that are still in use but no longer supported.

Almost all Android devices are vulnerable, since the vulnerability has existed since Android 1.6 (Donut), and only the Samsung Galaxy S4 has been patched to protect against it, Trend Micro warns.

A blog post by Trend providing an additional perspective on the problem, and taking issue with Bluebox's description of it as a master key vulnerability, can be found here.

"This vulnerability can be used to replace legitimate apps on an Android device with malicious versions," explains Jonathan Leopando, a member of Trend's technical communications team. "Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.

"Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanised app for a bank would continue to work for the user, but the credentials would have been sent to an attacker," he adds. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.