Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Update Lets Malware Bypass Digital Signature Check

Posted by timothy on from the just-sign-here-mr-lector dept.

msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."

20 of 85 comments (clear)

  1. Looking forward to 1st August by gnoshi · · Score: 4, Insightful

    It will be really interesting to see what this vulnerability is, on the 1st of August, since all that can be gathered from the press release is essentially:
    It is possible to change an APK without changing its signature, and Android will not notice. That does have big implications, but it isn't enough detail to say anything much more than "Oh, that's not good".

    1. Re:Looking forward to 1st August by Anonymous Coward · · Score: 4, Funny

      Pffft... Like carriers push updates.

    2. Re:Looking forward to 1st August by Anonymous Coward · · Score: 3, Interesting

      So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

      How is this any different if you side load apps on iOS devices?

    3. Re:Looking forward to 1st August by Jeremiah+Cornelius · · Score: 5, Funny

      HOW can you COMPROMISE an APK file?

      It USES HOSTS file!

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    4. Re:Looking forward to 1st August by hairyfeet · · Score: 4, Insightful

      Does he get paid in cash or in Bing points? And do they get paid by the hour, by the post, is there a prime time that they get paid extra for? Meh I use Bing and all I get is Bing points but at least that gives me a small slice of the pie, the way i see it if these search engines are gonna make money datamining my searches the least they can do is give me a slice. Plus i like their animated search page and the image search is quite nice.

      As for TFA...sigh, we already knew that android was gonna hit its one millionth infection by this summer so while the fact that somehow (wow does TFA suck when it comes to details) they bypassed the checks as the guy that gets called when the stuff breaks i can tell you...they honestly didn't need to bother, people will happily infect their phones and tablets without a thought in the world. I swear its the damnedest thing, its like the SECOND you put it on another medium? all the old rules no longer apply. I've seen email scams that haven't worked on PCs in years, lame "just download our player" scams which again haven't worked on PCs in years, its like the second the device is in a different form factor it ceases to become a "computer" and instead becomes "a magic screen which i push that does stuff" so for some damned reason all the rules they learned when running PCs just aren't even applied to the new medium.

      And I'll get hate for saying it but truth is truth, and hopefully the huge number of Android infections will lay to rest the lie that "Oh this OS is different, it doesn't get bugs" bullshit. ALL OSES, be they Windows, Linux, or OSX are frankly some of the most complex software platforms EVER created by man, and since man is fallible there WILL be bugs and if there are enough users to make it worth the trouble it WILL be exploited.The reason Linux and OSX got away with so few bugs as long as it did was because they just weren't a juicy enough target, and before anybody screams "servers!" don't waste your breath, servers are highly stripped down,locked down, and controlled by VERY smart guys with a shitload of education. Servers are as different from a user oriented OS as a router is,other than the fact they both run on hardware they really don't have much in common.

      But give it a few years and the users will begin to learn to show common sense with these mobile devices, the ones writing the OSes for these devices will learn to harden the shit out of them, then we'll see malware infections drop for awhile...until the next new thing comes out which users will treat like a magic box and we'll be back at square one all over again, sigh.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Looking forward to 1st August by complete+loony · · Score: 4, Informative

      APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

      Either way, you will still need to trick people into installing your version of the apk.

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    6. Re:Looking forward to 1st August by Sun · · Score: 4, Insightful

      I will wager a guess as to what the vulnerability is. If that is not it, then it just means there is another vulnerability.

      I'll just state that I'm not sure this is it, as what I'm talking about is not trigerrable via an update. You would need root to trigger it.

      The information I am writing here is a product of my own research. It may or may not be the same as discussed above, but the symptoms are similar enough that I think it is.

      An APK is a zip file composed of two main parts. The compiled dalvik code (in a file called classes.dex), as well as the resources (spanning multiple files, exact format irrelevant here). All of those files are listed in a directory inside the APK with their hash, and that file is digitally signed. This is the Androidn signing process.

      The code, however, is in a format that is not immediately usable. I'm a bit fuzzy on the specific details, but the general idea is that you would need to adapt it to load addresses, based on everything else running in the same address space (the framework, and other libraries, if applicable). As a result, when Android first sees an APK, it does "optimization", in which it essentially takes the dex file, does all of the necessary relocations, and stores it in a directory called "dalvik-cache". As long as none of the APKs on which this cache file depends changed (the cache file stores the hashes for the original APK and all other dependencies), then Android does not bother with the classes.dex file stored inside the APK. It simply loads the optimized dex (odex) directly from the cache whenever needed. Needless to say, the odex is not hashed and is not signed. If you change it, Android will load your modified code without complaining.

      I had more to say, and typed it in and all, but then I got "Filter error: Lameness filter encountered" error. Probably too long. I think you will have to make do with the first half of my comment :-)

      Shachar

    7. Re:Looking forward to 1st August by Sun · · Score: 4, Insightful

      Second half of above comment:

      It gets worse, however. Some vendors do not like the fact that after factory reset, the phone takes a long time to boot as it turns all of the dex files into odex files. They also do not like the fact that these files take space in the data partition, which is where downloaded APKs and application data is stored by default. As a result, Android has a mechanism by which you can place an APK in the system partition that is already odexed. The APK file does not contain a classes.dex file at all. Instead, next to the APK there is another file, called with the same base name and an .odex extension. On such a system, the original, signed, code is not around, and all of the actual code of the application is unsigned.

      The severity of this attack, scary though it may sound, is not very high. You need root access in order to change the system folder or access the dalvik-cache directory. There is no privilege escalation. Just running unsigned code that seems to be signed. Also, any change to other parts of the system will invalidate the cache, and cause your exploit to disappear.

      All in all, an interesting, but not very scary, vulnerability.

      Shachar

    8. Re:Looking forward to 1st August by DrXym · · Score: 2

      I wonder how many of those infections occurred from apps in the Play store versus those acquired through other means, e.g. warez sites.

    9. Re:Looking forward to 1st August by julesh · · Score: 2

      APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

      AIUI, at least part of the APK signature verification only happens when you first install the APK. If you modify the file on the data partition (for which you would require root access), you can actually change the code and android does not notice that it no longer has a valid signature. I have done this, years ago, on a Froyo install for a phone that was running on a very slow processor, in order to remove certain delays (e.g. animation of screen on/off, which was taking too long). Nothing ever noticed that the apks had been modified.

    10. Re:Looking forward to 1st August by mmurphy000 · · Score: 4, Informative
      Quoting Andy Fadden, an Android systems engineer, from his recent StackOverflow answer on this subject:

      The assumption is that, if an attacker is able to replace a .odex file, they have sufficient permission to do any number of other things.

      --
      The Busy Coder's Guide to Android Development
    11. Re:Looking forward to 1st August by DrXym · · Score: 2
      Technically they could come from either but in practice? If I buy a popular game for 99c on Play which is free on a p2p site, which is most likely to be the malware?

      And most likely Google and AV vendors are very active in policing the store, putting apps through their paces in virtualized devices looking for suspicious behaviour, weeding out malware attempts, remote killing any installs of said malware. Whereas if some guy who installs an apk they got from a torrent site gets none of that and probably stands a larger chance of infection to go with it.

  2. Android fragmenting by willthiswork89 · · Score: 4, Interesting

    With all the fragmented versions of android, I sure hope that everyone(Verizon, att, etc) can get their heads out of their ass to get this patched. Im concerned for the people using these things for business, but consumers could be affected majorly too. I guess we can't be sure exactly how bad of an issue this is until the first though.

    1. Re:Android fragmenting by ADRA · · Score: 4, Interesting

      Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.

      --
      Bye!
    2. Re:Android fragmenting by Anonymous Coward · · Score: 3, Insightful

      Patches? Hahahahahahaha

      I'm pretty sure my carrier forgot my phone model existed the moment they sold it to me. It's a buggy piece of shit that hasn't ever gotten any patches.

  3. If google were competent... by JThundley · · Score: 4, Funny

    If Google were competent they would have shipped Android with a modified HOSTS FILE. Hosts files can protect you from APK modification and cubic time bastards.

    1. Re:If google were competent... by 93+Escort+Wagon · · Score: 4, Funny

      I'm curious, how would a different hosts file help you in this situation?

      It makes it easier for you to recognize jokes than the default hosts file does.

      --
      #DeleteChrome
  4. Re:900 million is a pretty big number by Anonymous Coward · · Score: 5, Insightful

    And thus we dispel one of the many myths of open source. F/OSS is not bad and proprietary software is not necessarily better in any way or any of that shit but the cold hard fact is that even if you have access to the source code this sort of thing is going to happen! Nobody is reading and understanding all the code in its entirety being assured that there are no vulnerabilities or backdoors, no matter how much the fossies like to believe it.

    I'm not advocating one way or the other, just sayin that whole argument about security because we have access to the sourcecode is rubbish.

  5. Re:900 million is a pretty big number by Agent+ME · · Score: 2

    One of the things I've liked about open source is that it makes vulnerabilities more accessible. I mean that I like that from a user's point of view. If vulnerabilities are easier to discover, then it's easier for them to become publicized and fixed, especially if many vulnerabilities are discovered coincidentally by many groups. If vulnerabilities are hard to discover, then only someone spending all their time searching for vulnerabilities is likely to find it (as opposed to users or system administrators that only do quicker searches since they're more busy just keeping things working), and then it's easier for them to keep it secret so they can use it themselves for years.

  6. Ah, Java... by Anonymous Coward · · Score: 2, Insightful

    ...write once, zero-day everywhere!