
Android vulnerability allows attackers to modify apps - WinandVM
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
======
r3bl
Out of all the Android vulnerabilities so far, and out of all the devices that
are not running an up-to-date versions of Android, what's your theory as to
why we have yet to discover a large Android botnet?

~~~
discreditable
A few reasons (imho):

* No one has really tried.

* Google will remove malicious apps from devices via Play Store if they spread too wide.

* A phone botnet would be pretty lame for ddos, which is what botnets seem to be all about these days. Their connections are unreliable, and utilizing the botnet for more than a few hours would kill it's batteries.

Phone exploits seem to be more about harvesting personal data[1],
ransomware[2], and/or adware[3].

1\. [http://www.zdnet.com/article/this-bank-data-stealing-
android...](http://www.zdnet.com/article/this-bank-data-stealing-android-
malware-is-back-and-its-now-even-sneakier/)

2\. [http://www.zdnet.com/article/this-nasty-new-android-
ransomwa...](http://www.zdnet.com/article/this-nasty-new-android-ransomware-
encrypts-your-phone-and-changes-your-pin/)

3\.
[http://www.bbc.com/news/technology-31129797](http://www.bbc.com/news/technology-31129797)

~~~
MuffinFlavored
What are some other things botnets could be used for?

~~~
nine_k
Stealing CPU cycles for mining, password cracking, captcha solving, etc?

~~~
discreditable
Don't forget spam!

------
aluhut
All those problems and I sit here with my Moto and the last patch from
February...

Good my guarantee runs out soon so I can switch to something I can patch
myself.

~~~
tonyztan
Consider getting a Pixel. Guaranteed timely security updates for 3 years, and
you can flash your own images if you'd like.

~~~
pjmlp
€ 799.00, more than a month salary for many people that I know.

Multiple month salaries in many 2nd and 3rd tier countries around the world.

Security as a privilege only for the rich people is not a solution.

~~~
tonyztan
You're right. The Nexus phones that Google used to sell were relatively
affordable and secure (like the Nexus 5X). Too bad that's no longer an option.

------
brianshaler
This seems noteworthy:

> Any scenario still requires the user to install the malicious update from a
> source outside the Google Play store.

~~~
blacksmith_tb
Agreed. Also this "The ... vulnerability affects ... Android 5.0 and newer...
Applications that have been signed with APK signature scheme v2 and that are
running on devices supporting the latest signature scheme (Android 7.0 and
newer) are protected against the vulnerability."

------
orblivion
From a user's standpoint, the impression I'm getting is this:

"A user might download a malicious update to an existing application from
someplace other than Google Play, and Android will incorrectly tell the user
that the application is valid."

Is this correct? Then they should say so in this article, perhaps in the
introduction. As a user I can look at the details later if I'm interested, but
for now I need to know what (not) to do to stay safe.

Again, beating the drum that security news needs to improve its messaging.

~~~
tonyztan
I believe your understanding is correct. And if you have security patch level
of 2017-12-01 or newer, you are safe from this vulnerability.

I agree that the article needs a TLDR at the top.

[https://source.android.com/security/bulletin/2017-12-01](https://source.android.com/security/bulletin/2017-12-01)

~~~
s73ver_
"And if you have security patch level of 2017-12-01 or newer, you are safe
from this vulnerability."

So, not most people.

------
junke
> The JAR signature scheme only takes into account the zip entries. It ignores
> any extra bytes when computing or verifying the application's signature.

Why? is there a use-case for this?

~~~
freeone3000
Because that's how `jarsigner` (the Java application) signs. The code
signature was fixed in Android 7.0.

~~~
0xtk
Does it mean the vuln only affects devices running < 7.0?

~~~
klyubin
The vuln affects all APKs on 5.0 <= Android < 7.0, and APKs not signed with
APK Signature Scheme v2 on Android 7.0 and newer.

------
Karliss
Apk are usually signed using v1 an v2 signatures for backwards compatibility.
Ripping out v2 signature would keep v1 signature valid. I hope Android 7
doesn't allow signing scheme downgrades if previously installed version was
signed with v2 signature.

 _UPD_ Documentation states it does.

~~~
klyubin
Ripping out v2 signatures makes the APK invalid on Android 7.0 and newer. This
is because the v1 signature contains a special header X-Android-APK-Signed in
its META-INF/*.SF files. When Android 7.0 or newer encounters this header
without having encountered a valid v2 signature, it rejects the APK.

Installing a v1-only signed update to an APK which is v2 signed is permitted.
However, the update has to be the same versionCode or higher to be accepted,
meaning it can't be a downgrade in terms of versionCode. Thus, as long as you
don't produce updates/upgrades which are v1-only signed, you should be
protected against this vulnerability on Android 7.0 and newer.

