A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
Android applications must be digitally signed. This allows one to ensure the code within the app has not been tampered with and also assures the code was provided by the official publisher. Furthermore, Android utilizes an app-level permission system where each app must declare and receive permission to perform sensitive tasks. Digital signing prevents apps and their accompanying permissions from being hijacked.
This serious Android vulnerability allows an attacker to hide code within a legitimate application and use existing permissions to perform sensitive functions through those apps. Details of the vulnerability can now be found online and are extremely simple to implement.
Injecting malicious code into legitimate apps has been a common tactic by malicious app creators for some time. However, they previously needed to change both the application and publisher name and also sign any Trojanized app with their own digital signature. Someone who examined the app details could instantly realize the application was not created by the legitimate publisher. Now that attackers no longer need to change these digital signature details, they can freely hijack legitimate applications and even an astute person could not tell the application had been repackaged with malicious code.
We have added detection logic for the vulnerable condition to our backend Norton Mobile Insight systems and, out of four million applications, have not yet discovered malicious usage of the vulnerability. We have discovered a number of apps that unintentionally exploit the vulnerable condition, however. These apps are all built using a common popular build tool chain, which may have a bug resulting in malformed APK files. Unfortunately, this vulnerability affects 99 percent of Android devices, and usually patches take some time to be deployed by handset manufacturers and carriers, if at all.
If a malicious app is discovered exploiting this vulnerability, users will be able to protect themselves by installing Norton Mobile Security. Once installed, Norton Mobile Security will also regularly update itself to add more robust protection against this and future vulnerabilities.
Thanks to Bluebox Security who discovered the vulnerability.