There may be many ways to root an Android phone, but there's allegedly one root to rule them all. At this year's Black Hat USA 2013 conference, security researcher Jeff Forristal will detail how to gain system access and control on nearly any Android device. The bug was disclosed back in February, and Google presumably has worked to patch the vulnerability in the months since, so don't get too excited.

Fullscreen capture 5302013 32047 PM.bmp

Forristal claims he can modify APKs without having to re-sign them. This means someone with ill intentions could install malicious code masked as a legit app, or they could update existing apps without needing the signing key, compromising apps users naturally assume are safe. Forristal asserts that it's then a simple step to gain root access. When he first became aware of the vulnerability, it was executable across a large number of Android devices, generations, and architectures with minimal alteration. The diversity in the Android ecosystem puts a damper on a lot of things, but apparently not this.

Forristal works with Bluebox Security and is a recognized expert in the industry. He publicized the first responsible security policy and the first SQL injection. His talk will be one of many at this year's Black Hat conference, which will take place in Las Vegas from July 27 to August 1. Hit up the source link for a full schedule of events.

Source: Black Hat USA 2013

Bertel King, Jr.
Born and raised in the rural South, Bertel knows what it's like to live without 4G LTE - or 3G, for that matter. The only things he likes sweeter than his tea are his gadgets, and while few objects burn more than a metal phone on a summer day, he prefers them that way anyway.

  • Michael Pahl

    already patched?

    hmm. thanks anyway.

    • Justin Case

      Just because Google has a patch, doesn't mean devices are actually patched. I spent last night looking for any patches since Feb to AOSP that could be related to this and found none. Obviously at this time, the patch isn't in the wild.

      • fonix232

        It won't necessarily be uploaded as a bugfix or entitled so, might be a simple (optional for the time) change to the signing procedure of APKs.

        • Justin Case

          There has been no recent change to the signing procedure that would prevent this. I'm guessing its going to be patched via updates soon

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Already patched doesn't mean much, since most security patches are for Android versions going forward. It's incredibly rare for patches to be backported. It's plausible that an update to 4.2.3 could come out with the patch, or it may come with 4.3 (which rumors strongly suggest is due in a couple of weeks).

      I suspect an interim solution is to build in a fix with the Play Store apk, which already hooks into the install procedure. This would solve the problem for virtually every device with the Play Store installed, and it may have been distributed already. However, we won't really know unless somebody at Google says something publicly or malware starts running rampant shortly after this exploit is revealed.

      • Da_James

        That may be the reason why, since Feb, the play store says "You acknowledge Google may scan your device for security reasons". I believe the play store and play services now have an active malware scanner installed on every device. Kindle Fire, bewaaaaare ^^

        • http://www.androidpolice.com/ Artem Russakovskii

          We don't know enough about this to see how it works. Can code changes even be detected? It sounds pretty crazy from his description, but sure, the malware scanner could potentially be used to detect it. Or not.

  • Kenny

    I take it you mean it's patched in 4.2.2 then That's the only one released since February right? Doesn't that still leave a gaping ole to the other 90% of devices out there especially all the GB cheapo phones.

    • http://www.androidpolice.com/ Artem Russakovskii

      It may not be, I haven't seen any patches to address it. It may be in 4.3, we'll see what he says.

      • http://mustafakaratas.net/ Mustafa Karataş

        I think it may be related to Google Plays new verify and install option.

  • gr227

    He should have given Google a week to fix the problem and then released it into the wild. Or would that be Evil?

    • esper256

      If he had seen evidence that hackers were already exploiting the vulnerability in the wild he should have. Users should be outraged to own phones from manufacturers / carriers that weren't getting security updates for exploits that are IN USE. It should drive consumers to adopt devices from entities that provide timely updates. The key being vulnerability IN USE. Maybe you didn't fully read the Google policy update.

  • Paul Smith

    Yawn, another expert looking for attention. Who wants to bet this ends up nowhere near these claims???

    • Varun Priolkar

      "He publicized the first responsible security policy and the first SQL injection."

  • spydie

    There is a difference between "resign" and "re-sign."

  • Could be Anyone

    Good I hate how some companies want to lock the bootloader and root access for no good reason at all.