Researchers find another Android attack that can get past signature checks
The vulnerability allows attackers to modify legitimate Android apps without breaking their digital signatures
A second vulnerability that can be exploited to modify Android apps without breaking their digital signatures has been identified and publicly documented.
Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post.
The flaw is different from the so-called "masterkey" vulnerability, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures.
Android records the digital signature of an application when it is first installed and a sandbox is created for it. All subsequent updates for that application need to be cryptographically signed by the same author in order to verify that they haven't been tampered with.
Being able to modify legitimately signed apps means that attackers can trick users into installing fake updates for their already installed applications that would get access to all the potentially sensitive data stored by those applications. If the targeted applications are system apps, such as those pre-installed by device manufacturers, the malicious code in the rogue updates can even be executed with system privileges.
The new vulnerability allows attackers to inject code into particular files that exist in APKs, specifically in their headers, in a way that bypasses the signature verification process. The files that can be modified are called classes.dex, but in order for the attack to work, the size of the targeted files needs to be under 64KB, which somewhat limits the attack.
Posts
