Proof of concept for Android flaw found, patches start rolling out

CyanogenMod's developers have patched their own version of Android as Google pushes out its own to manufacturers, but proof-of-concept code in the wild could make it easier for attackers to target those that are not yet ready.
Written by Michael Lee, Contributor

Although a patch for a vulnerability that affects almost every Android application is now making its way to manufacturers, one security researcher has developed proof-of-concept code, showing how to convert legitimate apps into something more dangerous.

Last week, Bluebox Security claimed that Android applications could be repackaged with trojans without the user or operating system being the wiser, meaning that 99 percent of all devices were vulnerable. The company's CTO wrote a lengthy, high-level post about the issue, but didn't explain exactly how the security flaw works, saving the details for his BlackHat talk.

However, CyanogenMod developer Nikolay Elenkov has already caught on that the flaw exists due to how Android handles duplicates of applications. Elenkov has written a patch, self-described as "crude", that has been worked into CyanogenMod 10.1 already.

Google's own patch for Android is slowly making its way to manufacturers, but viaForensics security researcher Pau Oliva has written a "quick and dirty" proof of concept that takes a legitimate app, allows an attacker to modify it, then repackages it with the verification signature still intact.

While this makes life easier for attackers, it doesn't demonstrate a complete real-world attack. Two possible ways that an attack like this could work are to get users to side-load the application to their phone or conduct an automated man-in-the-middle attack on the Google Play store itself.

Users are often unaware of whether to trust side-loaded applications in the first place, so it could be argued that a falsified signature wouldn't be necessary to take advantage of many more of these users. The second attack, however, could abuse any trust that a user has in the Play store.

Although the Play store conducts all of its searches and API calls over HTTPS, which offers a layer of protection against man-in-the-middle attacks, the actual download of packages occurs without encryption over HTTP. This could theoretically allow someone to monitor connections to the Play store, intercept traffic, apply Oliva's proof of concept code, and modify packages on the fly.

Such an attack would need to be quite targeted, however, and as such is highly unlikely to occur.

Bluebox Security has since released a tool on the Play store that it claims will help determine whether a device has been compromised by someone exploiting the flaw.

Editorial standards