Vulnerability Allows Attackers to Alter Legit APKs for Shady Business, Staying Official Keeps You Safe (Nothing New)

Android Security 600x300

Security firms like to use scare tactics to get users to download their software. To be honest, it happens so much that it’s hard to tell anymore what’s truly an issue or concern for the average mobile user. Unfortunately, that’s not going to change anytime soon and this next bit of news is much of the same really.

Apparently, there is a security flaw or vulnerability, if you will, that allows hackers to alter a digitally signed application so that they can use it as a Trojan to collect data or take control of the affected system. The flaw was discovered by -you guessed it- a security firm known as Bluebox Security from San Francisco. The researchers from Bluebox who discovered the flaw plan to talk more about it at the Black Hat USA security conference in Las Vegas, which is set to take place later this month.

In Android, every time an application is installed a sandbox is created specifically for it and the OS assigns it a digital signature. The signature is used by the system to verify that the app is legit, and it’s also used to keep track of the author. All future updates must be signed with the same digital signature. This is so that a sandbox can only be accessed by a single application using the same digital signature as when it was created.

The flaw basically allows ne’er do wells to inject malicious code into an APK without compromising their digital signature. In theory, this would allow attackers to do pretty much whatever they wish with the device under the guise of a legitimate application.

In a recent blog post, Bluebox noted the following:

“Depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.”

Bluebox Chief Technology Officer, Jeff Forristal expanded on that point with the following statement:

“You can update system components if the update has the same signature as the platform.”

Thus allowing attackers to take complete control of the system in question, and that includes retaining access to personal data, accounts, passwords, associated networks and more.

The flaw has been around since Android 1.6 and actually has a code name, Donut. Bluebox, using what I like to call scare tactics, so charmingly pointed out that means the flaw affects any Android device on the market released in the last four years.

I think it’s high time we head for the hills (might as well play some Iron Maiden while we do it too).

But wait! Forristal says that there’s no way to distribute offending apps through Google Play. The application submission process already works to screen and block apps with this problem. However, attackers can gain access through a third party version of an app which replaces those of the same name generally downloaded from Google Play. As you probably already know, sideloaded apps don’t receive the same benefits as officially installed ones even if they exist in the play store.

It makes me angry because my indie purchase of Paper Monsters means I have to manually update every time a new apk is made available, but I digress.

This just confirms what we already know. Stay official folks and you’ll stay safe. Steer clear of all those suspicious third party app stores.

Forristal says that the Samsung Galaxy S4 has already been patched with a fix for the issue, and Google is currently working on one for Nexus devices. Naturally, lots of devices out there will never be patched or fixed because they’ve reached the end of their life cycle and will receive no more software updates. As we’ve already covered, if you refrain from downloading content from third party app stores, you’ll be just fine.

What do you think of all this?