Android Update Lets Malware Bypass Digital Signature Check

Posted by timothy on Wednesday July 3, 2013 @03:10PM from the just-sign-here-mr-lector dept.

msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."

4 of 85 comments (clear)

Min score:

Reason:

Sort:

Re:Looking forward to 1st August by Anonymous Coward · 2013-07-03 15:27 · Score: 4, Funny

Pffft... Like carriers push updates.
Re:Looking forward to 1st August by Jeremiah+Cornelius · 2013-07-03 16:18 · Score: 5, Funny

HOW can you COMPROMISE an APK file?
It USES HOSTS file!

--
"Flyin' in just a sweet place,
Never been known to fail..."
If google were competent... by JThundley · 2013-07-03 16:22 · Score: 4, Funny

If Google were competent they would have shipped Android with a modified HOSTS FILE. Hosts files can protect you from APK modification and cubic time bastards.
1. Re:If google were competent... by 93+Escort+Wagon · 2013-07-03 16:58 · Score: 4, Funny
  
  I'm curious, how would a different hosts file help you in this situation?
  It makes it easier for you to recognize jokes than the default hosts file does.
  
  --
  #DeleteChrome