Last week, security researchers from BlueBox Security uncovered details about an Android exploit that can be leveraged to bypass code integrity checks and use specially-crafted APKs to install malware. Bitdefender has issued an update to the Bitdefender Mobile Security & Antivirus suite, as well as to the Antivirus Free for Android, to detect and block Android package files that abuse this vulnerability to potentially lead to malware.
According to the initial research, the flaw resides in the way Android looks for digital signatures in the Android package about to be installed. Such a specially crafted APK – basically a ZIP archive – contains two files with identical names – one is digitally signed and the other carries malicious code. When Android looks up the files in the APK against the Android manifest file (manifest.mf), it validates the first file as digitally-signed, but the second file overwrites it upon extraction. However, Android will not check it again, as it has already passed digital signature inspection, thus making room for malware.
Why is this bug particularly important?
The bug apparently affects Android versions from 1.6 through 4.1, so chances are your device is vulnerable. Although Google has reportedly patched the flaw, you probably haven’t received update yet – old smartphone users running Gingerbread (Android 2.3.x) or earlier will likely not receive the fix at all. It is also important because attackers could pick popular applications from well-known developers, rig them with malware and deliver them via third-party app-stores.
A second flaw that could allow the modification of APK files without voiding digital signatures was discovered Chinese researchers shortly thereafter. Rather than manipulating the ZIP container to host two identical files, they injected malicious code in the ZIP header to append it later to the classes.dex file upon unpacking. This allows a potential attacker to accommodate additional malware code up to 64 KB without voiding the digital signature.
Because of its increased market share in the past few years, Android has become the favorite pick not only for cyber-criminals, but also for security researchers. Since proof of concept exploits often come to light faster than mitigations, an antivirus solution can prove the last layer of defense in case of an outbreak.
The updated Bitdefender Mobile Security & Antivirus, as well as its free version, are available via Google Play. If you already have either installed, make sure you update it by visiting the Play Store, choosing My Apps and selecting the Update button next to the Bitdefender Mobile Security (or Bitdefender Antivirus Free) entry.