Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Android Update Lets Malware Bypass Digital Signature Check

timothy posted 1 year,25 days | from the just-sign-here-mr-lector dept.

Android 85

msm1267 writes "A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature — an action that would normally set off a red flag that something is amiss. Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said. The vulnerability, Bluebox said, affects multiple generations of Android devices since 1.6, the Donut version, which is about four years old. Nearly 900 million devices are potentially affected."

cancel ×

85 comments

Looking forward to 1st August (4, Insightful)

gnoshi (314933) | 1 year,25 days | (#44185229)

It will be really interesting to see what this vulnerability is, on the 1st of August, since all that can be gathered from the press release is essentially:
It is possible to change an APK without changing its signature, and Android will not notice. That does have big implications, but it isn't enough detail to say anything much more than "Oh, that's not good".

Re:Looking forward to 1st August (-1, Troll)

Anonymous Coward | 1 year,25 days | (#44185287)

Bing, Bing, Bing, Bing, Bing, Bing, Bing! What was that sound? It's the sound of a Binger coming to aid those in need! You may have heard that Bing is inferior to Google, and I used to think the same thing before a certain event happened. You see, about two weeks ago I decided to give Bing a try; I searched for my wife's name and discovered that she was about to have a heart attack! Thanks to Bing, I was able to save my wife's life, and since then, I've been a rabid, frothing Binger. You should become a Binger, too! Bing can help you!

Don't believe me? Bing it on! You hoi polloi will never be able to comprehend the mind of a Binger until you become one yourselves! Join me in my Binging! [bingiton.com]

Re:Looking forward to 1st August (0)

Namarrgon (105036) | 1 year,25 days | (#44185437)

I'm curious; do you still get that $12 if you post as AC?

Re:Looking forward to 1st August (0)

tepples (727027) | 1 year,25 days | (#44185465)

Anonymous Coward and other non-subscribers cannot post through HTTPS. This means Microsoft can monitor the content of purported employees' and contractors' communications with Slashdot.

Re:Looking forward to 1st August (5, Funny)

Jeremiah Cornelius (137) | 1 year,25 days | (#44185541)

HOW can you COMPROMISE an APK file?

It USES HOSTS file!

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44186311)

Not enough bold text, quotes about how awesome you are from publications printed 10 years ago that only "My First PC" type grandads read, and links to dodgy looking self-coded Delphi applications.

When spooks insert exploits into your apps (1)

tepples (727027) | 1 year,25 days | (#44187041)

I'm aware of the joke [slashdot.org] . Soon people will likely forget about APK the hosts file advocate, just as they have forgotten about Twitter the anti-M$ sock puppet master [slashdot.org] .

But seriously, a hosts file blocks hostnames that you don't want programs on your device to connect to. That's all it does. It won't help when the spooks are MITMing your device's Internet connection to third-party Android package repositories like F-Droid and Amazon and inserting exploits of signature check failures like this.

Incorrect... apk (0)

Anonymous Coward | 1 year,25 days | (#44188309)

"a hosts file blocks hostnames that you don't want programs on your device to connect to. That's all it does" - by tepples (727027) on Thursday July 04, 2013 @08:11AM (#44187041) Homepage

Custom hosts do more than that tepples & also speed you up 1 of 2 ways too:

---

1.) "Hardcoding" your favorite sites in it (faster ip address resolution from host-domain names locally vs. remote DNS servers).

&

2.) Blocking adbanners (good & bad - which make up up to 40% of most websites' pages).

( + custom hosts files ALSO ADD: Reliability (vs. redirect poisoned or "downed" DNS servers), aid "anonymity" to an extent (vs. DNS request logs, + getting past DNSBLs), & add "layered-security"/"defense-in-depth" (blocking known malicious sites/servers/hosts-domains that are malscripted OR serve up malwares/botnets etc.-et al))

---

* LASTLY - I wrote you on this via your wiki page, email, & regarding points you made on hosts with corrections, not in a "malicous way" either ( & on "# of the beast" you discussed here too), here -> http://slashdot.org/comments.pl?sid=3738579&cid=43696537 [slashdot.org] (use it!!!)

---

The only "joke" around here is how EASILY I make mincemeat out of naysayers on tech points on this subject, every single time they *try* me on it!

APK

P.S.=> For a FULL list of benefits custom hosts files provide in (which I invite ANY "naysayers" to disprove me on no less):

A.) Added speed
B.) Added reliability
C.) Added "layered-security"/"defense-in-depth"
D.) Added "anonymity" (to an extent vs. DNS request logs + skirting DNSBL's too)

See here (enumerated list + a 100% FREE program by "yours truly" that makes creating a custom hosts file from 12 reputable & reliable sources, easy):

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

... apk

"Get thee behind me, Satan" - Jeremiah Cornelius (0)

Anonymous Coward | 1 year,25 days | (#44187445)

You state you don't do AC posts http://slashdot.org/comments.pl?sid=3667275&cid=43498013 [slashdot.org] in April 2013...

&

Yet earlier you said you do in 2011, here http://slashdot.org/comments.pl?sid=2238996&cid=36457458 [slashdot.org]

So which is it?

(You look bad busted on that account as a known online troll being caught posting 1 of 100's of your usually ac submitted spams here http://slashdot.org/comments.pl?sid=3581857&cid=43276741 [slashdot.org] using your registered luser name.)

* Don't they call Satan "king of liars"? He's in 2nd place compared to you Jeremiah Cornelius.

(After all, you said it above contradicting yourself!)

So, thus: Per my subject-line above:

Fact is, You LIE, + You troll ac & do sockpuppets to "mod yourself up with" & your opponents DOWN with!

(Just like your "pal" tomhudson = barbara, not barbie (same person, pal of JC's no less too & "trolls of a feather" FLOCK TOGETHER + use the same DIRTY tricks, & he/she got caught in & left in May 2012!).

So now you're eating crow for it being exposed & you know it. Your reactions show it as well as your own LIES quoted above!

PLUS - You brought it on yourself for those 100's of ac spamming posts on hosts files (which I dusted you on totally on technical issues regarding them vs. other solutions even) -> http://yro.slashdot.org/comments.pl?sid=3717059&cid=43634223 [slashdot.org] point by "so-called 'point'" of yours (easily).

APK

P.S.=> You stated you worked for Microsoft & now VMWare? B.S., not in a truly technical capacity, or I wouldn't make such mincemeat out of you repeatedly on technical information in computing also...

... apk

Re:Looking forward to 1st August (4, Insightful)

hairyfeet (841228) | 1 year,25 days | (#44185705)

Does he get paid in cash or in Bing points? And do they get paid by the hour, by the post, is there a prime time that they get paid extra for? Meh I use Bing and all I get is Bing points but at least that gives me a small slice of the pie, the way i see it if these search engines are gonna make money datamining my searches the least they can do is give me a slice. Plus i like their animated search page and the image search is quite nice.

As for TFA...sigh, we already knew that android was gonna hit its one millionth infection by this summer [techworld.com] so while the fact that somehow (wow does TFA suck when it comes to details) they bypassed the checks as the guy that gets called when the stuff breaks i can tell you...they honestly didn't need to bother, people will happily infect their phones and tablets without a thought in the world. I swear its the damnedest thing, its like the SECOND you put it on another medium? all the old rules no longer apply. I've seen email scams that haven't worked on PCs in years, lame "just download our player" scams which again haven't worked on PCs in years, its like the second the device is in a different form factor it ceases to become a "computer" and instead becomes "a magic screen which i push that does stuff" so for some damned reason all the rules they learned when running PCs just aren't even applied to the new medium.

And I'll get hate for saying it but truth is truth, and hopefully the huge number of Android infections will lay to rest the lie that "Oh this OS is different, it doesn't get bugs" bullshit. ALL OSES, be they Windows, Linux, or OSX are frankly some of the most complex software platforms EVER created by man, and since man is fallible there WILL be bugs and if there are enough users to make it worth the trouble it WILL be exploited.The reason Linux and OSX got away with so few bugs as long as it did was because they just weren't a juicy enough target, and before anybody screams "servers!" don't waste your breath, servers are highly stripped down,locked down, and controlled by VERY smart guys with a shitload of education. Servers are as different from a user oriented OS as a router is,other than the fact they both run on hardware they really don't have much in common.

But give it a few years and the users will begin to learn to show common sense with these mobile devices, the ones writing the OSes for these devices will learn to harden the shit out of them, then we'll see malware infections drop for awhile...until the next new thing comes out which users will treat like a magic box and we'll be back at square one all over again, sigh.

Re:Looking forward to 1st August (2)

DrXym (126579) | 1 year,25 days | (#44186499)

I wonder how many of those infections occurred from apps in the Play store versus those acquired through other means, e.g. warez sites.

Re:Looking forward to 1st August (1)

DJRumpy (1345787) | 1 year,25 days | (#44186979)

Technically, they could come from either. There is no guarantee that something from the Play store is clean. I also have to wonder what will happen to the millions of phones that simply don't get updates from the handset vendors. Granted the geek crowd can probably update most, but there will be literally millions upon millions that will have this vulnerability until they die or are replaced.

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44187883)

While it doesn't guarantee something is safe, it's still 99.9% safe. Any malware is booted the instant it's found, and Bouncer proactively tries to weed them out.

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44188401)

Claiming something is safe because it's removed after it's found shows a bit of a problem...

Re:Looking forward to 1st August (2)

DrXym (126579) | 1 year,25 days | (#44188177)

Technically they could come from either but in practice? If I buy a popular game for 99c on Play which is free on a p2p site, which is most likely to be the malware?

And most likely Google and AV vendors are very active in policing the store, putting apps through their paces in virtualized devices looking for suspicious behaviour, weeding out malware attempts, remote killing any installs of said malware. Whereas if some guy who installs an apk they got from a torrent site gets none of that and probably stands a larger chance of infection to go with it.

Re:Looking forward to 1st August (0)

hairyfeet (841228) | 1 year,25 days | (#44188139)

I bet a LOT come from the playstore because all it takes is even a couple of hours being in the top 30 of the playstore for an app to easily hit 30k plus. For a malware writer getting 30k+ infections onto a device the average user has ZERO CHANCE of cleaning themselves? That is fucking gold man, believe me as the guy who has to deal with this shit I can tell you that most users are more vulnerable than users of Win98 back in the day. They have NO idea what their phone is doing, have NO idea how to even check, its just a magic screen so all you need is to get on it and its gonna be gravy for a looong time, possibly the life of the device.

Then you add up how many OEMs don't put out updates, how many are still selling android 2.3 devices (go look at Walmart.com if you don't believe me, a good 70%+ of their devices are still 2.x) and how fricking difficult it is to update/upgrade a lot of these devices? Its malware heaven, it makes the flood of noobs during the AOL days look like a LUG meeting, its a nightmare. Honestly the only real advantage we have now is that there are a lot of users that frankly don't know how to use warez sites, just as to this day there are many that can't use a P2P site that isn't "find on Google,click on link" simple so too does most have zero clue how to sideload squat. But all it takes is even a couple of hours of being on the playstore to infect a loooot of devices and with many not knowing how to even see if their device is infected or not? Its a malware writer's wet dream man, its a mess.

Re:Looking forward to 1st August (1)

DrXym (126579) | 1 year,25 days | (#44188189)

An malicious app author's chances of being in the top 30 without cause to be there are about zero.

Re:Looking forward to 1st August (1)

hairyfeet (841228) | 1 year,22 days | (#44207025)

Citation please? Because we have seen several apps in the past few months that had "timers" on them that didn't start sending out info until it had reached a metric (been played X number of times, used for X number of months) and those seemed to get through the playstore just fine.

So unless you can provide a citation that Google is doing long term testing and simulations on EVERY app that comes through their store i gotta call bullshit, as malware is a billion dollar business so they don't make shit stupidly obvious anymore friend,which is why its so much harder to catch. Hell I have even seen malware that would tone itself down when the user started doing any real work so the system wouldn't act sluggish and give them away, damned tricky the new malware writers are, its really hard to catch some of this stuff.

Re:Looking forward to 1st August (1)

cheaphomemadeacid (881971) | 1 year,25 days | (#44188107)

Well to be fair, the smartphone market has reached alot of new users, which should explains atleast some of the old scams working again...

Re:Looking forward to 1st August (1)

BasilBrush (643681) | 1 year,25 days | (#44188543)

ALL OSES, be they Windows, Linux, or OSX are frankly some of the most complex software platforms EVER created by man, and since man is fallible there WILL be bugs and if there are enough users to make it worth the trouble it WILL be exploited.

Which is why you have to consider the means by which software gets on the system. There are many, many computer platforms that have never had malware. Take an industrial controller - what's the mechanism by which malware can get on the device in the first place? Most of them aren't even connected to the internet.

they honestly didn't need to bother, people will happily infect their phones and tablets without a thought in the world. I swear its the damnedest thing, its like the SECOND you put it on another medium?

That's why the iOS single curated app store is a good idea. Ordinary users are just not computer security aware to protect themselves. Better than they can only access from a source that only has pre-approved software, and where any software that is subsequently found to be malware can be removed once and for all.

Unlike the industrial controller, a smartphone can't be decoupled from the internet. So creating a system when apps can only come from a single source is the next best thing.

Re:Looking forward to 1st August (1)

maccodemonkey (1438585) | 1 year,24 days | (#44190433)

ALL OSES, be they Windows, Linux, or OSX are frankly some of the most complex software platforms EVER created by man, and since man is fallible there WILL be bugs and if there are enough users to make it worth the trouble it WILL be exploited.

iOS still has a significant marketshare, yet an insignificant number of security breaches.

Sure, some of this could be (I say could because there isn't much evidence backing this) because iOS is a more locked down platform. But by your own thesis this platform should have plenty of security problems.

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44186329)

i'm pretty sure he is making a joke. The line about typing his wife's name into bing and it telling him she was about to have a heart attack is kind of a big give away. Then again i don't want to get in the way of how much fun it is calling people shills. Spotting the M$ shill is getting a bit old though; they are either very obvious, a joke, or they just don't hate ms as much as a lot of /. Now spotting the google shill is much more challenging because of all the stupid fanboys that would support google even if it became mandatory to supply dna for a gmail account. Spotting NSA shills is even more fun but I'm not entirely sure of the consequences.

Re:Looking forward to 1st August (-1, Troll)

Anonymous Coward | 1 year,25 days | (#44185595)

I binged your wife's name but all I found were pictures of her having sex with a dog.

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44186115)

Was that dog powered by Google Hemorrhoid?

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,20 days | (#44220813)

A dog? Must have been cropped.

Re:Looking forward to 1st August (4, Insightful)

Sun (104778) | 1 year,25 days | (#44186211)

I will wager a guess as to what the vulnerability is. If that is not it, then it just means there is another vulnerability.

I'll just state that I'm not sure this is it, as what I'm talking about is not trigerrable via an update. You would need root to trigger it.

The information I am writing here is a product of my own research. It may or may not be the same as discussed above, but the symptoms are similar enough that I think it is.

An APK is a zip file composed of two main parts. The compiled dalvik code (in a file called classes.dex), as well as the resources (spanning multiple files, exact format irrelevant here). All of those files are listed in a directory inside the APK with their hash, and that file is digitally signed. This is the Androidn signing process.

The code, however, is in a format that is not immediately usable. I'm a bit fuzzy on the specific details, but the general idea is that you would need to adapt it to load addresses, based on everything else running in the same address space (the framework, and other libraries, if applicable). As a result, when Android first sees an APK, it does "optimization", in which it essentially takes the dex file, does all of the necessary relocations, and stores it in a directory called "dalvik-cache". As long as none of the APKs on which this cache file depends changed (the cache file stores the hashes for the original APK and all other dependencies), then Android does not bother with the classes.dex file stored inside the APK. It simply loads the optimized dex (odex) directly from the cache whenever needed. Needless to say, the odex is not hashed and is not signed. If you change it, Android will load your modified code without complaining.

I had more to say, and typed it in and all, but then I got "Filter error: Lameness filter encountered" error. Probably too long. I think you will have to make do with the first half of my comment :-)

Shachar

Re:Looking forward to 1st August (4, Insightful)

Sun (104778) | 1 year,25 days | (#44186257)

Second half of above comment:

It gets worse, however. Some vendors do not like the fact that after factory reset, the phone takes a long time to boot as it turns all of the dex files into odex files. They also do not like the fact that these files take space in the data partition, which is where downloaded APKs and application data is stored by default. As a result, Android has a mechanism by which you can place an APK in the system partition that is already odexed. The APK file does not contain a classes.dex file at all. Instead, next to the APK there is another file, called with the same base name and an .odex extension. On such a system, the original, signed, code is not around, and all of the actual code of the application is unsigned.

The severity of this attack, scary though it may sound, is not very high. You need root access in order to change the system folder or access the dalvik-cache directory. There is no privilege escalation. Just running unsigned code that seems to be signed. Also, any change to other parts of the system will invalidate the cache, and cause your exploit to disappear.

All in all, an interesting, but not very scary, vulnerability.

Shachar

Re:Looking forward to 1st August (4, Informative)

mmurphy000 (556983) | 1 year,25 days | (#44186827)

Quoting Andy Fadden, an Android systems engineer, from his recent StackOverflow answer on this subject [stackoverflow.com] :

The assumption is that, if an attacker is able to replace a .odex file, they have sufficient permission to do any number of other things.

Re:Looking forward to 1st August (1)

gl4ss (559668) | 1 year,25 days | (#44188431)

Quoting Andy Fadden, an Android systems engineer, from his recent StackOverflow answer on this subject [stackoverflow.com] :

The assumption is that, if an attacker is able to replace a .odex file, they have sufficient permission to do any number of other things.

yeah.. if it really needs local root.. then .. what the fucking kind of exploit is that ?

Re:Looking forward to 1st August (4, Funny)

Anonymous Coward | 1 year,25 days | (#44185289)

Pffft... Like carriers push updates.

Re:Looking forward to 1st August (3, Interesting)

Anonymous Coward | 1 year,25 days | (#44185507)

So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

How is this any different if you side load apps on iOS devices?

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44185585)

Apparently iOS doesn't have this vulnerability. Duh.

Re:Looking forward to 1st August (1)

Anonymous Coward | 1 year,25 days | (#44185631)

You need to tick the checkbox that allows sideloading. With this vulnerability you don't need to tick the checkbox.

Re:Looking forward to 1st August (1)

Namarrgon (105036) | 1 year,25 days | (#44185703)

Actually, since Google have already patched the Play Store, it's still a safe channel. So you'd still have to sideload to risk being affected.

Re:Looking forward to 1st August (1)

Anonymous Coward | 1 year,25 days | (#44185767)

Actually, since Google have already patched the Play Store, it's still a safe channel. So you'd still have to sideload to risk being affected.

Yeah but you don't need to tick the check box that says "allow apps from unauthorized sources".

Re:Looking forward to 1st August (1)

yincrash (854885) | 1 year,25 days | (#44186133)

Yes. You would.

Re:Looking forward to 1st August (1)

Chatterton (228704) | 1 year,25 days | (#44186357)

The problem is that Google get more an more app out of the play store (eg: GameCIH (memory editor), Rooting app...). Now it is hard to find these app, you need to go to shaddy places to sideload them. This is 'great' for security :(

Re:Looking forward to 1st August (1)

smash (1351) | 1 year,25 days | (#44187337)

So by extension, if you want to remain safe, you need to revert the device back to functionality apple provides with iOS.

Why do i want to run android again?

Re:Looking forward to 1st August (1)

Reapman (740286) | 1 year,25 days | (#44188047)

there's a bigger difference betweent iOS and Android then just Sideloading. Change the default apps for email, maps, etc to whatever you want. Skin the UI. Make the choice and run a rooted custom version of Android. Different selection of handset sizes. Etc.

If anything, Sideloading is pretty useless for the majority of users. Its the other things that people use generally that makes Android different.

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,25 days | (#44188181)

The stockholm syndrome is strong in this one.

Re:Looking forward to 1st August (1)

Namarrgon (105036) | 1 year,24 days | (#44193199)

Because *you* consider the options and make the choice for yourself, instead of some corporation that doesn't know anything about your situation.

If you don't trust yourself with that responsibility, then of course you're free to hand it to Apple instead.

Re:Looking forward to 1st August (1, Informative)

tlhIngan (30335) | 1 year,25 days | (#44185871)

So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

How is this any different if you side load apps on iOS devices?

Play store apps are safe NOW since Google was alerted to this in February and had a chance to update their scanners.

But there's still plenty of ways of sideloading apps and who knows if they're sketchy? The problem is Android does not allow sideloading apps from certain alternative stores - it's either Play Store only or everyone.

E.g., if you use Amazon, Humble Bundle, your "Allow non-Play store apps" checkbox is checked and you're vulnerable to sketchy APKs.

And APKs can be installed without your knowing - there exist several lockscreen hacks for many phones that let you get enough access to install a lockscreen bypass app from the Play store. Someone doing that can install their sketchy app and then reset your phone back to normal.

And you can't sideload iOS apps - they must come through the App Store. The only way is to either jailbreak, or install a developer certificate provisioning file that lets you install developer-signed apps. Or enterprise signed apps. Unlike Android, most iOS users don't have these installed, though if you can bypass the lock screen, you can install it. (Though since these certs are signed by Apple, Apple could revoke them if that's their use).

Re:Looking forward to 1st August (1)

BasilBrush (643681) | 1 year,25 days | (#44188437)

So you can only get infected if you side load apks from sketchy sources. Play store users are safe.

How is this any different if you side load apps on iOS devices?

[assuming iOS had the same vulnerability...]

"Sideloading" from other stores is standard feature of Android. It's not with iOS. Thus this can hit ordinary users with standard Android phones. But not ordinary users with standard iOS.

The step to iOS Jailbreaking is far more of a jump, and an awareness that it breaks security protection than changing a preferences option in Android.

Furthermore, lets assume that in each case, the vulnerability is fixed with the next minor version of the OS. On iOS, the majority of users will be on the new invulnerable OS within a week of it's release day. With Android, the average user is on a 3 year old OS version, so on average they won't get the fix for another 3 years.

Basically there is no comparison. iOS users are massively more secure than Android users.

Re:Looking forward to 1st August (1)

Anonymous Coward | 1 year,25 days | (#44185547)

I'm sorry, but I have a hunch that anybody involved in the android modding community already knows what this "vulnerability" is. I just hope it's not what I think it is, cuz I like to mod my phone, and if they "fix" this, it puts an end to my hobby.

Re:Looking forward to 1st August (4, Informative)

complete loony (663508) | 1 year,25 days | (#44185735)

APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

Either way, you will still need to trick people into installing your version of the apk.

Re:Looking forward to 1st August (-1)

Anonymous Coward | 1 year,25 days | (#44185791)

APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

Either way, you will still need to trick people into installing your version of the apk.

It's not as difficult as it seems. Just email the APK file to everyone.
http://thedailywtf.com/Articles/The-Email-Virus.aspx

Re:Looking forward to 1st August (1)

Anonymous Coward | 1 year,25 days | (#44185969)

APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

Either way, you will still need to trick people into installing your version of the apk.

My guess is this: android just checks the first files matching in the jar/zip for the names, but installs the files found last in the jar(or vice versa, zip files can have multiples of the same filename).

Re:Looking forward to 1st August (2)

julesh (229690) | 1 year,25 days | (#44186665)

APK's are signed with what amounts to the normal jar signing process. So either they have found a way to create a hash collision, or there's some other bug in the verification process that allows some unsigned code to be included in the file and executed.

AIUI, at least part of the APK signature verification only happens when you first install the APK. If you modify the file on the data partition (for which you would require root access), you can actually change the code and android does not notice that it no longer has a valid signature. I have done this, years ago, on a Froyo install for a phone that was running on a very slow processor, in order to remove certain delays (e.g. animation of screen on/off, which was taking too long). Nothing ever noticed that the apks had been modified.

markingmachin (-1)

Anonymous Coward | 1 year,25 days | (#44185921)

we are Pneumatic marking machine manufacturers,suppliers,supply two-tone metal carving pen,Semiconductor laser marking machine,part engraving machine and electric carving pen.

www.sinomarking.com

Re:Looking forward to 1st August (-1)

Anonymous Coward | 1 year,25 days | (#44186795)

Why not buy a android tablet PC as gift for your friend and family? Premium android tablet PC,Hyundai,Ainol,Ramos,Vido,Pipo etc brand.
Price is from USD 70-220.Best quality and perfect after service.

Just login: www.aliexpress.com/store/512450
Email: sale02@rainbow-elec.com
Skype: rainbow-tablets

Re:Looking forward to 1st August (0)

Anonymous Coward | 1 year,23 days | (#44195917)

Stolen tablets? Do I need to buy the charger and cables?

Re:Looking forward to 1st August (1)

K. S. Kyosuke (729550) | 1 year,25 days | (#44186925)

It is possible to change an APK without changing its signature, and Android will not notice.

Just don't forget to update your hosts file.

900 million is a pretty big number (1)

fustakrakich (1673220) | 1 year,25 days | (#44185261)

I wonder how many of these 'vulnerabilities' are intentional, and get patched only when caught. Obviously these contraptions are wide open

Re:900 million is a pretty big number (5, Insightful)

Anonymous Coward | 1 year,25 days | (#44185621)

And thus we dispel one of the many myths of open source. F/OSS is not bad and proprietary software is not necessarily better in any way or any of that shit but the cold hard fact is that even if you have access to the source code this sort of thing is going to happen! Nobody is reading and understanding all the code in its entirety being assured that there are no vulnerabilities or backdoors, no matter how much the fossies like to believe it.

I'm not advocating one way or the other, just sayin that whole argument about security because we have access to the sourcecode is rubbish.

Re:900 million is a pretty big number (2)

Agent ME (1411269) | 1 year,25 days | (#44185881)

One of the things I've liked about open source is that it makes vulnerabilities more accessible. I mean that I like that from a user's point of view. If vulnerabilities are easier to discover, then it's easier for them to become publicized and fixed, especially if many vulnerabilities are discovered coincidentally by many groups. If vulnerabilities are hard to discover, then only someone spending all their time searching for vulnerabilities is likely to find it (as opposed to users or system administrators that only do quicker searches since they're more busy just keeping things working), and then it's easier for them to keep it secret so they can use it themselves for years.

Re:900 million is a pretty big number (0)

Anonymous Coward | 1 year,25 days | (#44185933)

Well yes, it's equally hard or easy to find the vulnerability for those who want to exploit or fix it (in the case of proprietary software it's the vendor who will fix it but that is also the case for the vast majority of instances of Android running on devices). I am sure the diehards will fix it on their own devices but a global fix is likely to take much longer (and in many cases it probably will not happen due to lack of vendor support). So it (like proprietary software) is a double-edged sword, which is precisely why the two methodologies can co-exist. Sometimes one is best sometimes the other is best.

Re:900 million is a pretty big number (0)

Anonymous Coward | 1 year,25 days | (#44188153)

Yes. The big difference with ope nsource vs properietary is however that if that happened to linux, I could install a patch and be safe. On androide phones that have locked bootloader you're fucked. Your manufactuer stoped updates to their phone. you cannot install cyanogen becouse bootloader is locked. You're fucked and left with explotable device for eternity.

Re:900 million is a pretty big number (0)

Anonymous Coward | 1 year,24 days | (#44191461)

What'd you buy a device with a locked bootloader for? The first question anyone should ask before buying any Android device is "can I install a custom ROM on this?"

Re:900 million is a pretty big number (1)

Anonymous Coward | 1 year,24 days | (#44191787)

The first question anyone should ask before buying any Android device is "can I install a custom ROM on this?"

thanks for the laugh, the funny thing is there are actually people so disconnected from reality that they would actually believe that.

Re:900 million is a pretty big number (0)

Anonymous Coward | 1 year,24 days | (#44191813)

I don't see anything funny with that at all. If you buy a locked device, don't complain when it inevitably breaks and you can't fix it yourself.

Android fragmenting (4, Interesting)

willthiswork89 (2885827) | 1 year,25 days | (#44185269)

With all the fragmented versions of android, I sure hope that everyone(Verizon, att, etc) can get their heads out of their ass to get this patched. Im concerned for the people using these things for business, but consumers could be affected majorly too. I guess we can't be sure exactly how bad of an issue this is until the first though.

Re:Android fragmenting (-1, Troll)

Anonymous Coward | 1 year,25 days | (#44185471)

This is exactly why proprietary solutions (iPhone and Windows) are better.

Re:Android fragmenting (-1)

Anonymous Coward | 1 year,25 days | (#44185645)

This is exactly why proprietary solutions (iPhone and Windows) are better.

I wouldn't say it makes them better, but it certainly is an advantage of them. Looking at just this factor alone though the ability to look at the code hasn't resulted in this vulnerability being picked up for many years (and even then we dont know if it was even discovered thanks to the source being open) and the fragmentation (through vendors forking the codebase) means a fix will take longer and in some cases wont materialize at all.

Re:Android fragmenting (0)

Anonymous Coward | 1 year,25 days | (#44186053)

I wouldn't say it makes them better, but it certainly is an advantage of them.

Proprietary software has no advantages.

Looking at just this factor alone though the ability to look at the code hasn't resulted in this vulnerability being picked up for many years

FOSS is still better eventually though, proprietary software is always crap.

and the fragmentation

...is a feature! not a bug!

means a fix will take longer and in some cases wont materialize at all.

consumers should be more proactive in their choices! it takes time to understand the consequences of the choices we make when we choose particular hardware that has particular software distributions forked by OEMs from the original vendor. users should be asking the question of whether the bootloader is unlocked, whether the stock android experience is available, what the software support chain is and what is the state of the openness of the drivers for the particular handset. ignorance is no excuse and for that i mod you down!

Re:Android fragmenting (1)

tepples (727027) | 1 year,25 days | (#44186991)

Anonymous Coward wrote:

Proprietary software has no advantages [and] is always crap.

I agree with you that free software has proven itself excellent for libraries and frameworks. But there are a few kinds of software [pineight.com] that free software hasn't been able to match, such as video games, playback software for digitally restricted motion pictures, and tax preparation software. As I've said before, he "year of the FOSS desktop" is the year when these get ported [slashdot.org] .

the fragmentation [of the Android platform]

is a feature! not a bug!

It's a bug when it includes the habit on the part of certain device manufacturers and wireless carriers of not compiling, testing, and shipping security updates for devices that they have sold and which are still under a two-year contract. It's a bug when one finds an application unusable because of an oversight in how Android was implemented on a particular device.

Re:Android fragmenting (4, Interesting)

ADRA (37398) | 1 year,25 days | (#44185649)

Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.

Re:Android fragmenting (1)

gl4ss (559668) | 1 year,25 days | (#44188447)

Regardless of the infection, you still need physical access to the APK in question in order to circumvent its security, which seems like a feat in itself. I suppose this is akin to a local security rights elevation. Its a big deal, but doubtfully something that would reach mass infection levels.

I don't know about that.. 3d printers are pretty popular nowadays.

Re:Android fragmenting (3, Insightful)

Anonymous Coward | 1 year,25 days | (#44185887)

Patches? Hahahahahahaha

I'm pretty sure my carrier forgot my phone model existed the moment they sold it to me. It's a buggy piece of shit that hasn't ever gotten any patches.

If google were competent... (4, Funny)

JThundley (631154) | 1 year,25 days | (#44185569)

If Google were competent they would have shipped Android with a modified HOSTS FILE. Hosts files can protect you from APK modification and cubic time bastards.

Re:If google were competent... (0)

Anonymous Coward | 1 year,25 days | (#44185695)

I'm curious, how would a different hosts file help you in this situation?

Re:If google were competent... (4, Funny)

93 Escort Wagon (326346) | 1 year,25 days | (#44185713)

I'm curious, how would a different hosts file help you in this situation?

It makes it easier for you to recognize jokes than the default hosts file does.

Re:If google were competent... (3)

noh8rz9 (2716595) | 1 year,25 days | (#44185827)

$10,000 CHALLENGE to ACs to recognize humor on slashdot...

Re:If google were competent... (0)

Anonymous Coward | 1 year,25 days | (#44185869)

$10,000 CHALLENGE to ACs to recognize humor on slashdot...

Ha ha?

Re:If google were competent... (1)

tangent3 (449222) | 1 year,25 days | (#44186005)

The moderation (+4, Funny) should have been a dead giveaway....

nice (-1, Offtopic)

seobacklink001 (2972453) | 1 year,25 days | (#44185845)

thanx for sharing information Rajasthan Tourism [itdroyalrajasthan.com]

Ah, Java... (2, Insightful)

Anonymous Coward | 1 year,25 days | (#44186019)

...write once, zero-day everywhere!

This is like "cyber" (0)

Anonymous Coward | 1 year,25 days | (#44186105)

You know, the keyword governments and like use to show off they have no fscking idea what you're talking about. "Hacker" used by "security researchers" this way (including self-described "hackers" of any self-described hat colour) really mean to say they're uncreative ham-handed hacks with, indeed, no real clue about security.

The downside, as with governments and sensible policy, is that these bozos are ubiquitous in security, and so are like consultants to an IT project: They're making good money in prolonging the problem.

If we want real computer security, we have to start looking through the noise. The simplest way is to ignore anyone who uses "hacker" and "hacking" as "someone or something vaguely related with something computer-y and probably dodgy too".

Name things for what they are, not with fancily abused terms that really have quite a different, and non-nebulous, definition.

Warning! Don't update (0)

Anonymous Coward | 1 year,25 days | (#44186921)

Android Update Lets Malware Bypass Digital Signature Check

So an update will allow malware to bypass digital signature check. I'm sure not updating then.

Android is based on Linux (0)

smash (1351) | 1 year,25 days | (#44187327)

how dare anyone post anything security related about it. linux is secure, and apple's locking down of the device is evil. etc.

Re:Android is based on Linux (0)

Anonymous Coward | 1 year,25 days | (#44188197)

Microsoft always said if Linux were to become as popular as Windows, it'd have the same problems. Looks like they were correct.

Re:Android is based on Linux (1)

0123456 (636235) | 1 year,25 days | (#44188277)

Android != Linux. Digitial signature checks are part of the Android runtime, nothing to do with the underlying OS.

There are plenty of embedded Linux systems that are totally insecure -- my webcam, for example, came by default with a telnet port that took you to a root shell -- but that's nothing to do with Linux.

Re:Android is based on Linux (0)

Anonymous Coward | 1 year,24 days | (#44191205)

Android != Linux. Digitial signature checks are part of the Android runtime, nothing to do with the underlying OS.

If you mean nothing to do with the kernel then neither are most Windows vulnerabilities. When these people speak of "Linux" what they mean is "Linux distributions" because nobody runs just Linux so suggesting that comparisons of other operating systems (like Windows or OSX) to Linux are actually comparing the full OS to the Linux kernel is ignorant or just being deliberately obtuse.

There are plenty of embedded Linux systems that are totally insecure -- my webcam, for example, came by default with a telnet port that took you to a root shell -- but that's nothing to do with Linux.

Yes it is a Linux system - like you said - that is insecure, which is what they were saying too.

Re:Android is based on Linux (0)

Anonymous Coward | 1 year,25 days | (#44188539)

Given that this vulnerability is not in Linux code, you are are a retard.

Re:Android is based on Linux (0)

Anonymous Coward | 1 year,25 days | (#44188685)

I think the underlaying point is that: when you are large enough, you will become a target. Whether you are Windows, iOS, Linux or Android... THAT certainly looks like it is true...

Re:Android is based on Linux (1)

smash (1351) | 1 year,21 days | (#44213835)

Given that I never said the vulnerability was in Linux code, and you don't seem to understand parody, it looks like you're the retard.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...