Recently, a vulnerability in Android package signature verification was announced by Jeff Forristal, CTO of Bluebox Security. Jeff plans on revealing details at the upcoming BlackHat Briefings at the end of this month. Though he has not released any details on his findings beyond the initial blog post more information is becoming available on how to protect yourself from this vulnerability.
What is a package signature?
Apps and Android OS updates are distributed in packages called APKs. APKs can come from the Google Play store, app stores, web sites, or directly from a PC over USB. Every app installed on an Android device must be cryptographically signed by the developer or distributor—this is the package signature. This is supposed to guarantee that the package has not been altered from the original. In addition, some signatures are special. Packages signed by the OEM may be given special privileges on the device. For example, an app signed by the OEM may be granted the ability to silently install other packages without involving the user. However, no normally installed app should be allowed to do this.
When an app or system update is installed Android verifies the package signature by checking every file in the APK against the signature to make sure that no one has altered it. Unfortunately, due to the Android Signature Bypass vulnerability, it is possible for someone to insert their own potentially malicious files into the package without Android detecting the modification.
The Attack
Using this vulnerability an attacker could modify an existing system update and users installing this update or app would unknowingly be installing executables from the attacker. This would give the attacker full control of the device. Once installed, the attacker could intercept phone calls, send and receive SMS messages, download or upload data or even completely erase the device.
Fortunately, Google has been aware of this vulnerability since March and has taken two critical actions. The first, and most effective, was to make sure that there are no apps in Google Play that exploit this vulnerability. We can assume, too, that any new apps are also being checked. The second was to contact all of the Android OEMs to provide them with a patch that disallows duplicate files in APKs.
What can you do?
- Install updates – As with any vulnerability the most important thing to do is to install any and all security updates available for your device. Google notified OEMs in March and provided them with a patch for this issue. Unfortunately, there is often a significant delay between Google providing a patch and updates being available on your device. This is due both to the needs for the OEM to integrate and test the patch on all of their supported devices but also, in the case of phones, for the carrier to do the same.
- Use security software – Second is to install and use security software capable of inspecting apps on your device. McAfee Mobile Security, as an example, scans every app and every file on your device for viruses and malware. It will thoroughly check both the APK and the contents of the APK. This means that even if malicious files are added to a good APK MMS will still detect them. McAfee’s latest DAT update will detect any APK using this “Master Key” technique as suspicious using the name “Exploit/MasterKey.A”.
- Avoid untrusted app stores – Finally, you should know and trust your sources of apps. Google has stated that Play is free of apps exploiting this vulnerability. However, Play is not the only source of apps. Don’t install anything that is attached in an e-mail, from an app store, or from the web without first verifying with the sender that they really sent it and have scanned it with security software.