Newly uncovered Android exploit could put millions at risk - mackwently99

Technical details and a proof-of-construct exploit have been publicised for a latterly announced Android exposure that possibly affects millions of devices and allows attackers to turn legitimate apps into Trojan programs.

Last Wed, security researchers from mobile security firm Bluebox Security proclaimed that a vulnerability exists in the way of life Humanoid verifies the digital signatures of application packages (APKs), allowing attackers to alter them without breaking their digital signatures.

The Bluebox researchers merely provided a luxuriously-level description of the bug and its potential impact, retention the technical details for an upcoming presentation at the Lightlessness Hat security league in Las Vegas.

Since then, developers of CyanogenMod, a community-built Android firmware variant, experience identified where the bug is located and even merged a patch from Google into their code.

Using the information from the public CyanogenMod bug entry, Pau Oliva Fora, a mobile security engineer at security department steadfastly ViaForensics, developed a proof-of-concept Linux beat out script that can comprise used to modify an app in a right smart that exploits the fault. The code makes use of the APKTool program and was released Monday on Github.

"It's a problem in the way Android handles APKs that have matched register names inside," Oliva Fora aforesaid Tuesday via email. "The entry which is verified for signature is the bit one inside the APK, and the entry which ends up being installed is the first one exclusive the APK—the injected one that nates hold the malicious payload and is non patterned for key signature at all."

Google makes changes live

The Bluebox researchers said last week that Google made changes to Google Spiel in order to detect apps modified therein way and that a patch has already been shared with device manufacturers. This exclusive leaves users who install applications from sources other than Google Play—a process known as sideloading—possibly vulnerable.

"I conceive IT's a very serious vulnerability, and everyone with an unpatched gimmick should be cautious about what they install, especially if information technology doesn't come from an official distribution channel," Oliva Fora said.

The vulnerability presents benefits for Humanoid malware authors because it allows them to add malicious code to legitimate app packages and have them decently update the original applications if they are installed connected the targeted devices, the researcher aforesaid.

The bad guys take advantage

Android malware authors are already distributing malicious apps that masquerade as popular games Oregon applications though a miscellany of methods, including through third-political party app stores. This vulnerability could make this social engineering science technique Sir Thomas More efficient.

Fortunately, APKs modified in this way should atomic number 4 very easy to find by antivirus vendors, Oliva Fora aforementioned. "They just have to look up to for duplicate file names inside an APK register."

It would have been better if technical details about the vulnerability had not been disclosed until Pitch-dark Hat, as Bluebox Protection originally intended, the researcher said. However, "I'm sure that Jeff Forristal's [the Bluebox CTO] Black Hat talk leave not let down, justified if the details of the vulnerability are known," he said.

"A matched disclosure usually makes sure to the highest degree users are condom when the details of the exposure are disclosed, but due to the nature of the Mechanical man ecosystem, vendors and carriers will not deploy a patch for abandoned devices and sadly many devices will remain vulnerable forever," Oliva Fora aforementioned.

Source: https://www.pcworld.com/article/452804/proofofconcept-exploit-available-for-android-app-signature-check-vulnerability.html

Posted by: mackwently99.blogspot.com