Android-App-Modification

Bluebox Security Labs research group has recently discovered and published some information on the vulnerability of Android security core, which gives a chance to modify application’s .apk code, without confirming and compromising a cryptographic signature of the app itself. Using that security hole, evildoers may be able to turn literary any application into a malicious source of threat. The most important thing here is the fact that nor Android and Play Market, neither the user will be able to detect the fact of code modification.

That vulnerability may affect all Android phones and tablets with Android 1.6 “Donut” and higher. In other words, that could be any smartphone, that was purchased in last 4 years. That’s almost 900 million of devices. Modified application may be used for various purposes, from sending SMS to premium phone numbers, to creating a full-scale mobile botnet. In a matter of fact modern smartphones are more dangerous here, but the good news are that there is a chance that manufacturers will create a patch quickly

So, potential threat of the recently discovered vulnerability is rather high, and it may be even higher, if hackers will be able to modify apps, developed by big vendors, such as HTC, Samsung, LG and others, because their apps have more privileges and rights in the Android OS.

Malicious-Apps-For-Android

Code injection may provide a full access to Android OS and all the installed applications. Modified app may be able not only to read various data, stored at the device, such as emails, SMS, documents, but also saved passwords! As we’ve already mentioned, Android OS security system itself won’t be able to detect such an injection and that’s why, modified malicious app won’t affect other functions and your phone or tablet will work just as always.

All the applications that you install to your Android device have special signatures, which let the operating system to detect and check if the code of the app was modified. When the app is installed, Android creates a special “sandbox” for it, so if something goes wrong with the application – it won’t affect others. All the permissions of that application are working only inside that sandbox. But Android malware is still able to use those permissions against you! That sandbox also stores that signature and all the updates for the application must have to identical signature too.

Disclosed vulnerability uses a discrepancy, that is allowed when an .apk file is modified, such modification means no damage to a signature. To keep it simple we at Jammer-Store may say that this exploit allows to trick Android into thinking that application was not modified.

Mobile-BotNet

Evildoers have a lot of ways how to spread those malicious .apk files, including emailing them, uploading them to third-party application’s vendors and many others. Some of those methods, especially third-party repositories are already used to spread malicious apps for Android.

But the good news are that it is impossible to upload such a modified application to Google Play, because Google has already updated the process of uploading the app to make sure that modified apps won’t reach users.

Google knew about that issue in February already and shared that information with their partners. Now Google works on the updates for their Nexus devices, while Samsung has already updated their Galaxy line and S4.

So, as you can see there are a couple of ways to avoid those malicious apps. First of all use an antivirus and do your best to avoid third-party app vendors, because in most cases they have malware. Also keep an eye for your Bluetooth and Wi-Fi modules, they may be used against you Wi-Fi/Bluetooth signal blockers may come in handy here. And at last, if you think that your smrtphone is already infected – get it to specialists ASAP!

  • Share/Bookmark