Code Released To Exploit Android App Signature Vulnerability

chicksdaddy writes with news of a Proof-of-Concept exploit for the recent Android APK signature vulnerability. From the article: "Pau Oliva Fora, a security researcher for the firm Via Forensics, published a small, proof of concept module on GitHub that exploits the flaw in the way Android verifies the authenticity of signed mobile applications. The flaw was first disclosed last week by Jeff Forristal, the Chief Technology Officer at Bluebox Security, ahead of a presentation at the Black Hat Briefings in August. ... The simple program leverages APKTool, an open source tool for reverse engineering Android applications — decompiling and then recompiling their contents. His script allows a user to select and then decompile a legitimate Android application and then recompile it, creating an altered, 'malicious' APK that will have the same, cryptographic signature as the original file. In an e-mail statement, Google said that a patch for Forristal's vulnerability was provided to Google's OEM and carrier partners in March, and that some (Samsung) have already shipping a patched version of Android to customers. However, that response hasn't been universal — a reflection of Android's fragmented install base."

A malicious APK?

There's only one solution for a malicious APK.

We need a custom HOSTS file ...

Hint: real-life hacking is all automated

[cbhacking]

If by "lurk in the shadows" you mean "write a little Python script for a Raspberry Pi tucked behind a chair at your local Starbucks", and by "with a complete set of compromised copies of everything in the Google PlayStore" you mean "have the script be able to inject malicious code dynamically into an any APK in a few milliseconds", and by "sniffing in hopes of intercepting someone's traffic" you mean "running a persistent ARP spoofing attack that routes all external traffic across the network through said RaPi 24/7", and by "quickly to insert a compromised copy of something midstream with a man-in-the-middle attack" you mean "implement basic automated intercepting proxy functionality such as is common in dozens of existing tools"... then yes.

I don't think you realize how easy this kind of thing would be. Computers are tiny, silent, wireless, innocuous, and cheap these days. They are more than capable of modifying a typical APK in flight without introducing a human-noteworthy amount of latency. They can gain a MitM position easily an hold it for as long as the network stays up.

Yeah, those who stick to their cellular networks for app downloading are better off (unless there's a femtocell on that network and the attacker has access to it...) but for a few hours of hacking and less than $50 per location counting WiFi adaptor, you could catch a lot of people using WiFi on their phones.