Another Android Vulnerability Allows Hackers to Turn Legitimate Apps Into Malware

Chinese experts have discovered another way of altering apps without breaking signatures

By on July 12th, 2013 13:10 GMT

Chinese researchers have identified another vulnerability that could be leveraged to modify Android apps without altering their cryptographic signatures.

In a blog post (Chinese), the experts explain that the security hole is different from the one identified by Bluebox Security, but its effects are the same.

Pau Oliva Fora, the one who wrote the POC exploit for the “master key” flaw, and Bluebox representatives have confirmed for IDG that the new attack method is plausible.

However, the method described by the Chinese experts is more limited because it works only on APK files that are under 64KB in size.

Bluebox Security says that it has discovered a “slightly different” vulnerability than the one from the Chinese blog post that has fewer limitations. This method has already been reported to Google and a patch has already been released for it.

2 Comments

Another "master key"-like vulnerability found in Android
   Another "master key"-like vulnerability found in Android