Analysis Security researchers in China claim to have uncovered a second Android vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.
The vulnerability is similar to the so-called master key vulnerability recently announced by researchers from mobile security start-up Bluebox Security and due to be explained in more depth in a upcoming presentation at Black Hat in Las Vegas at the start of next month.
Bluebox first notified Google about a potential problem back in February, months prior to going public on the issue.
The practical effect of both flaws is the same: miscreants could upload Trojan-laden versions of Android application packages (.APK files) onto online marketplaces. These backdoored apps would carry the same digital signature as undoctored copies of the APKs.
The Chinese discovery is a "different approach to achieve the same goal as with the previous exploit," Pau Oliva Fora, a mobile security engineer at ViaForensics, told Computerworld. Oliva Fora put together a (harmless) proof-of-concept exploit based on the Bluebox vulnerability last week.
Bluebox Security has avoided going into details prior to its upcoming Black Hat presentation on 1 August but the work of Oliva Fora and other security researchers has revealed that the current Android app security shenanigans stem from duplicate filename trickery in Android application installer files rather than something more esoteric, such as a hash collision.
Android installation packages are compressed in containers that work like ZIP archive files. Regular ZIP utilities generally prevent you from having two files with the name in one archive but the ZIP format itself doesn't preclude duplicated filenames - so with a bit of hacking and tweaking, you can fairly easily create a utility to build an archive with repeated filenames.
It's this behaviour that spawns the vulnerability discovered by Bluebox Security, explains anti-virus veteran Paul Ducklin in a post on Sophos' Naked Security blog.
"Android's cryptographic verifier validates the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version," Ducklin explains. "In other words, the APK passes its cryptographic tests at install time, even though what gets installed is bogus."
The Chinese vulnerability creates a means for miscreants to inject code into the headers of APKs without screwing with digital signatures. However the potential of the attack is limited because targeted files (of the type classes.dex) need to be smaller than 64K in size.
Google has already released a security fix to smartphone manufacturers covering both the Bluebox master key vulnerability and the flaw uncovered by the Chinese researchers, according to a statement from Jeff Forristal, CTO of Bluebox, received in response to our inquiries into the issue.
Bluebox had already sent disclosure to Google regarding the additional vulnerability discovered, prior to it being publicized in the referenced blog post. A (second) patch has already been released publicly (AOSP, Android Open Source Project) & to Google partners, although it is a bit too early to expect partners to have firmware updates containing the second patch ready for devices. A statement from Google indicates they scan for this vulnerability too in the Google Play Store, but Bluebox has not verified that statement.
Google has yet to respond to The Register's request for a comment on the vuln, so it remains unconfirmed whether or not Mountain View scans for modified applications that exploit either of the two vulnerabilities in its official Google Play store. Effective scanning would be little more complex than looking for duplicate filenames in APK files.
Stay away from those third-party apps
Google recently banned Google Play Store apps from updating outside the Play update mechanisms, as tech analysis blog GigaOM was among the first to note, so at least some protection is already in place.
Filters on Google Play don't do much to help users who install Android apps from third-party stores, of course.
Consumers and business users of Android devices won't really be protected until manufacturers roll out the Android software updates. Samsung is already pushing out a patch but other OEMs might be slower to react - and the whole process might take weeks, if not months.
Bluebox reckons 99 per cent of Android devices are vulnerable to the master key flaw. And that's without even considering devices out there that are still in use but no longer supported.
Almost all Android devices are vulnerable, since the vulnerability has existed since Android 1.6 (Donut), and only the Samsung Galaxy S4 has been patched to protect against it, Trend Micro warns.
A blog post by Trend providing an additional perspective on the problem, and taking issue with Bluebox's description of it as a master key vulnerability, can be found here.
"This vulnerability can be used to replace legitimate apps on an Android device with malicious versions," explains Jonathan Leopando, a member of Trend's technical communications team. "Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.
"Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanised app for a bank would continue to work for the user, but the credentials would have been sent to an attacker," he adds. ®