Android Flaw Lets Attackers Modify Apps While Not Breaking Signatures

The vulnerability affects ninety nine of mechanical man devices and has existed since mechanical man one.6, researchers from security firm Bluebox same.

A vulnerability that has existed in mechanical man for the past four years will permit hackers to change any legitimate and digitally signed application so as to remodel it into a Trojan program which will be wont to steal information or take hold of the OS.

Researchers from urban center mobile security startup firm Bluebox Security found the flaw and decide to gift it in bigger detail at the Black Hat USA security conference in Las Vegas later this month.

The vulnerability stems from discrepancies in however mechanical man apps square measure cryptographically verified, permitting AN assailant to change application packages (APKs) while not breaking their cryptographical signatures.

When AN application is put in and a sandbox is made for it, mechanical man records the application’s digital signature, same Bluebox Chief Technology Officer Jeff Forristal. All later updates for that application ought to match its signature so as to verify that they came from identical author, he said.

This is vital for the mechanical man security model as a result of it ensures that sensitive information hold on by one application in its sandbox will solely be accessed by new versions of that application that square measure signed with the initial author’s key.

The vulnerability known by the Bluebox researchers effectively permits attackers to feature malicious code to already signed APKs while not breaking their signatures.

The vulnerability has existed since a minimum of mechanical man one.6, code named sinker, which suggests that it probably affects any mechanical man device discharged throughout the last four years, the Bluebox researchers same weekday during a journal post.

The vulnerability may also be exploited to realize full system access if the assailant modifies ANd distributes an app originally developed by the device manufacturer that is signed with the platform key — the key that makers use to sign the device code.

Attackers will use a spread of ways to distribute such Trojan apps, together with causing them via email, uploading them to a third-party app store, hosting them on any web site, repetition them to the targeted devices via USB and a lot of.

Some of these ways, particularly the one involving third-party app stores, square measure already being employed to distribute mechanical man malware.

Using Google Play to distribute apps that are changed to take advantage of this flaw isn’t attainable as a result of Google updated the app store’s application entry method so as to dam apps that contain this drawback, Forristal same. the data received by Bluebox from Google additionally suggests that no existing apps from the app store have this drawback, he said.