Android Update Lets Malware Bypass Digital Signature Check

msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."

Re:Looking forward to 1st August

[complete+loony]

APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

Either way, you will still need to trick people into installing your version of the apk.

Re:Looking forward to 1st August

[mmurphy000]

Quoting Andy Fadden, an Android systems engineer, from his recent StackOverflow answer on this subject:

The assumption is that, if an attacker is able to replace a .odex file, they have sufficient permission to do any number of other things.