“So, although this vulnerability is not being widely used yet, there does seem to be more than just a passing interest from the cybercrooks in exploiting it,” said Sophos researcher Paul Ducklin, in a blog. He added, “The way it works is annoyingly simple.”
The exploit, which has been around for at least a month, doesn't actually crack any cryptographic keys, Ducklin noted. But the vulnerability itself essentially offers a way for hackers to create a skeleton key of sorts to unlock access to a device and install malware – by posing as other, legitimate software.
Android apps are delivered in ZIP-format files with the extension APK (Android Package). As Ducklin explains, APK files have a specific subdirectory that contains a digitally signed list of checksums for the rest of the archive; before installation, the files in the APK are extracted and compared with this list. If there's a mismatch, the APK has failed verification and is rejected.
“But if you put two files with the same name into the APK, which is not normally a useful thing to do in a ZIP-format file, Android verifies the first, but installs and uses the second,” he said. “So it's like having a master key, because you can effectively "borrow" some third party's package, program files, data, product name, icons, and digital signature...yet install and run something that the third party has never even seen, let alone tested or approved for use.”
The new samples have executable code in the offending files that collects data such as installed applications, text messages and the International Mobile Subscriber Identity (IMSI) of a SIM card. It also connected to a server at apkshopping.com and is built to send SMS messages to a list of numbers in China – offering an indicator that it’s a fraud-based gambit.
Interestingly, they try to make use of a file named AndroidManifest.xml, which is typically found as a singular master file in an app containing the name of the app; the system libraries it uses; and the Android security permissions it requires when it runs. Modifying this file without re-signing the app ought to cause an error, not least because it means that the app might no longer have the security limitations claimed by its creator. Multiple copies in the sample show that the malware was trying to masquerade as this file.
Fortunately, the malware for two of the samples is flawed. “The modifications in this case have invalidated the APK, apparently because the crooks didn't reconstitute their hacked versions of the original files correctly,” Ducklin said.
The third malware sample did work, however. Adapted from add-on pack called Fashion for a picture-based messaging app called Lexin, it has been retrofitted with imposter files for AndroidManifest.xml that are capable of deceiving the cryptographic process during verification to install malevolent code and security permissions.
Although the bug is fixed in the Android open source codebase, what’s critical to protecting users is the efforts of Samsung, LG, Motorola and other phone-makers to push updates for their devices in the field. “Google simply isn't saying anything about how long it's prepared to wait for its handset partners to get the fix out to Android users around the world,” Ducklin said.
In the meantime though, he added that users can greatly reduce the risk of infection by Android malware, of any sort, by taking apps only from the Google Play Store and running anti-malware software on the device.