http://arstechnica.com/security/2013/07/google-patches-critical-android-threat-as-working-exploit-is-unleashed/
By Dan Goodin
Ars Technica
July 9, 2013
A security researcher has published working exploit code that allows
attackers to surreptitiously turn legitimate apps running on Google's
Android mobile operating system into malicious trojans. Around the same
time, Google said it released a patch that helps protect users from abuse.
As previously reported, the weakness involves the way legitimate Android
applications are cryptographically signed to ensure they haven't been
modified by parties other than the trusted developer. Researchers at
security startup Bluebox provided high-level details of the vulnerability
last week, but omitted technical details most people would need to
reproduce the attack. That didn't stop developers of CyanogenMod, an
alternative Android firmware version, from piecing together the available
details into this bug report that identifies the conditions necessary for
exploiting the vulnerability. The report also incorporates the fix from
Google into the CyanogenMod code.
Working from that description, Pau Oliva Fora, senior mobile security
engineer at viaForensics, published proof-of-concept code that allows
anyone with a moderate level of skill to modify an existing Android app
without changing the cryptographic signature that's supposed to certify it
hasn't been tampered with. The 32-line exploit demonstrates the ease in
exploiting the vulnerability and the consequences the flaw might have for
people who install and update apps from third-party sources.
"I think it's a very serious vulnerability, and everyone with an unpatched
device should be cautious about what they install, especially if it
doesn't come from an official distribution channel," Oliva Fora wrote in
an e-mail to Ars.
[...]
--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
