Android sig vuln exploit SEEN IN THE WILD

Tiny script is a big headache


A github user has demonstrated that the Android APK vulnerability isn't a trivial matter, posting “quick and dirty” proof-of-concept exploit code on github.

The demo, here, occupies just 32 lines of shell script – it doesn't actually plant malware into the target code, it merely allows an app to masquerade under another app's identity.

As noted in The Register on July 4, the vulnerability allows an app's APK code to be modified without breaking its cryptographic signature. At the time, Bluebox, which discovered the vulnerability (thus creating the credible business card any security startup needs), explained that firmware updates will be needed to fix the issue.

Github user “Poliva” – Pau Oliva Fora, whose LinkedIn profile identifies him as an engineer at viaForensics in Spain – created the script apparently without access to the promised extra information that Bluebox plans to present at Black Hat USA in August.

Although Google has been pushing patches to its OEMs since March, its availability depends on whether the OEM has shipped the new code through carriers to end users. In the meantime, Google maintains its advice that users should stay away from third-party Android app markets. ®


Keep Reading

Windows kernel vulnerability disclosed by Google's Project Zero after bug exploited in the wild by hackers

Chocolate Factory spills beans early on privilege-escalation flaw

Microsoft emits 112 security hole fixes – including the cure for a Google-disclosed kernel vuln exploited in the wild

Patch Tuesday Android, Adobe, SAP, Red Hat join the bug-busting party

Now-patched Ubuntu desktop vulnerability allows privilege escalation

'Unusual for a vulnerability on a modern operating system to be this easy to exploit,' says bughunter

Google Firebase Cloud Messaging offers spam tier for some – no account required, just knowledge of bad security

All that's necessary is willingness to abuse server keys exposed in apps and some technical know-how

Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching

Lack of protections around trace facility gives local users read and write access

Homeland Security demands a 911 for reporting security holes in federal networks: 'Vulns in internet systems cause real-world impacts'

Great – and who will be the first responders?

Alarming news: ADT to flog Nest smart home kit after Google ploughs $450m into corporate security dinosaur

Resell agreement set up amid plans to build next gen of home automation and security gear

Accenture pays for CSS injection from Symantec parent Broadcom: Yep, it bought its cybersecurity services arm

Price tag undisclosed but we're guessing it won't have made seller rich

Biting the hand that feeds IT © 1998–2020