Exploit for Android signing hole published
An exploit for the Android code signing hole, which was revealed a few days ago by Bluebox in advance of a presentation at the BlackHat conference, has now been published on GitHub. It allows its user to manipulate the files within APK format packages without the operating system being able to detect that the APK package has tampered with.
As reported yesterday, a package's manifest file has a hash for each file, but by saving both the modified and original file in the APK package, the checking of that hash can be fooled. The system checks the latter, original, file and passes it as valid but when it installs the package it installs the former, modified version of the file.
The exploit script uses the
apktool application to break up an APK into readable files which the user can change as required. It then creates a new APK file, with all the original APK contents and the modified versions the user has made. An article at Security Ledger, Oliva Fora, the author of the exploit, says that the vulnerability would allow to "impersonate the original signer of the APK by injecting malicious code into a valid updated APK".
He adds that if the attack is performed against a system application "it might be quite easy to create an APK that can execute code as the ‘system’ user (UID 1000 on Android), and escalate privileges to get root". Fora says he created the exploit after seeing the fix for CYAN-1602 in which CyanogenMod developers patched the zip file reading routines to block duplicate entries in the file.
A short test at heise Security, The H's associates in Germany, showed that the exploit doesn't seem to function, at least with the Android emulator. Attempts to install a manipulated signed APL resulted in the error message INSTALL_PARSE_FAILED_NO_CERTIFICATES.
Opinions differ though on the seriousness of the problem. Bluebox's initial presentation suggested they had found a masterkey and 99% of devices were vulnerable. Others have pointed out that the technique is well known withing the Android modding community and that users shouldn't be sideloading system applications onto their devices. It does appear that those who sideload applications could well be those who are also most at risk from this exploitable technique. There are though, still no reports of malware making use of the vulnerability in any venue.