Android Update Lets Malware Bypass Digital Signature Check

msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."

Android fragmenting

[willthiswork89]

With all the fragmented versions of android, I sure hope that everyone(Verizon, att, etc) can get their heads out of their ass to get this patched. Im concerned for the people using these things for business, but consumers could be affected majorly too. I guess we can't be sure exactly how bad of an issue this is until the first though.

Re:Android fragmenting

[ADRA]

Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.

Re:Looking forward to 1st August

So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

How is this any different if you side load apps on iOS devices?