July 4, 2013 at 01:13Vulnerability in Android allows attackers to turn any application into a trojan
The Bluebox Security Labs research team recently discovered a vulnerability in the Android security model, which allows you to change the .apk application code without damaging the cryptographic signature of the application. Thus, you can turn any signed application into a trojan. Moreover, absolutely no one will notice the substitution. Neither the Play Market, nor the phone, nor the user.
This vulnerability has been present since Android version 1.6 “Donut” or in other words on any phone purchased no later than 4 years ago. Or it's almost 900 million devices. Depending on the type of application, attackers can use the vulnerability to steal data or to create a mobile botnet.
For individuals and enterprises (a malicious application can gain access to certain data, or enter enterprises), the danger is quite high, especially considering that applications developed by device manufacturers (for example, HTC, Samsung, Motorola, LG) or third parties who work in collaboration with the device manufacturer have special privileges on Android.
Embedding code in an application from the device manufacturer can provide full access to the Android system and all installed applications(or their data). The application will then have the opportunity to not only read arbitrary application data on the device (e-mail, SMS messages, documents, etc.), but also have a chance to access the saved passwords. Moreover, this will not prevent the phone from functioning normally and controlling any function (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera and record a call). Finally, you can create an entire botnet.
How it works:
All Android applications have cryptographic signatures that allow the Android operating system to determine and verify whether the program has interfered with the code or not. When the application is installed, a sandbox is created for it, Android records the digital signature of this application. All subsequent updates for the application must match this signature in order to verify that it is from the same author.
The vulnerability exploits the inconsistency that is allowed when modifying an APK application, without damaging the cryptographic signature of the application. In simple words, the vulnerability allows you to trick Android and it will think that the application has not been modified.
In his presentationJeff will talk about bug 8219321 on Android OS, which he reported to Google in February this year, and an exploit that works on almost all Android devices, regardless of age.
The screenshot shows that Bluebox Security changed the application from the manufacturer so that now they have full access to the device. In this case, the company changed the software information for the device.
Attackers can use many methods to distribute such Trojan applications, including sending them by e-mail, downloading them to a third-party Market, placing them on any website. Some of these methods, especially third-party application repositories, are already used to distribute malicious software for Android. Using Google Play to distribute an application that has been modified will fail. Because Google has updated the process of writing an application to the Market in order to block applications that contain this problem.
By the way, Google was notified of the vulnerability back in February, and the company shared information with their partners. And now partners need to decide when to release an update for devices. Forristal confirmed that one device, the Samsung S4, already has a patch that demonstrates that some device manufacturers have already begun to release patches. Google has not yet released a patch for its Nexus devices, but the company is working on it.
If you do not have an account on Habrahabr, you can read and comment on our articles on BoxOverview.com
This vulnerability has been present since Android version 1.6 “Donut” or in other words on any phone purchased no later than 4 years ago. Or it's almost 900 million devices. Depending on the type of application, attackers can use the vulnerability to steal data or to create a mobile botnet.
For individuals and enterprises (a malicious application can gain access to certain data, or enter enterprises), the danger is quite high, especially considering that applications developed by device manufacturers (for example, HTC, Samsung, Motorola, LG) or third parties who work in collaboration with the device manufacturer have special privileges on Android.
Embedding code in an application from the device manufacturer can provide full access to the Android system and all installed applications(or their data). The application will then have the opportunity to not only read arbitrary application data on the device (e-mail, SMS messages, documents, etc.), but also have a chance to access the saved passwords. Moreover, this will not prevent the phone from functioning normally and controlling any function (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera and record a call). Finally, you can create an entire botnet.
How it works:
All Android applications have cryptographic signatures that allow the Android operating system to determine and verify whether the program has interfered with the code or not. When the application is installed, a sandbox is created for it, Android records the digital signature of this application. All subsequent updates for the application must match this signature in order to verify that it is from the same author.
The vulnerability exploits the inconsistency that is allowed when modifying an APK application, without damaging the cryptographic signature of the application. In simple words, the vulnerability allows you to trick Android and it will think that the application has not been modified.
In his presentationJeff will talk about bug 8219321 on Android OS, which he reported to Google in February this year, and an exploit that works on almost all Android devices, regardless of age.
The screenshot shows that Bluebox Security changed the application from the manufacturer so that now they have full access to the device. In this case, the company changed the software information for the device.
Attackers can use many methods to distribute such Trojan applications, including sending them by e-mail, downloading them to a third-party Market, placing them on any website. Some of these methods, especially third-party application repositories, are already used to distribute malicious software for Android. Using Google Play to distribute an application that has been modified will fail. Because Google has updated the process of writing an application to the Market in order to block applications that contain this problem.
By the way, Google was notified of the vulnerability back in February, and the company shared information with their partners. And now partners need to decide when to release an update for devices. Forristal confirmed that one device, the Samsung S4, already has a patch that demonstrates that some device manufacturers have already begun to release patches. Google has not yet released a patch for its Nexus devices, but the company is working on it.
If you do not have an account on Habrahabr, you can read and comment on our articles on BoxOverview.com