Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing. The good news: Google and CyanogenMod have closed the loophole on their own ROMs, and OEMs are in the process of doing the same.

At the end of May, we posted about Jeff Forristal and his session at Black Hat USA 2013 titled "One Root To Own Them All." Known internally as Android security bug 8219321, the exploit took advantage of a discrepancy between the signature verification step and app installation, allowing for a malicious payload to be inserted into the APK and ultimately installed. The modification process relied on embedding two identically named files, only one of which is used for signature verification, while the other is executed. The really dangerous part is that even highly privileged (read: System-level) apps from OEMs and Google could be replaced through this weakness, meaning it could do virtually anything from reading private data to significantly modifying the operation of the device. A more complete explanation of the process is detailed in a post by Al Sutton, and Pau Oliva has released a proof-of-concept script that carries out the steps to properly embed a payload into an APK.

In February, the bug was responsibly disclosed to Google by Bluebox Labs, the security research team employing Mr. Forristal, and a fix was quickly implemented. While the Android codebase has since been patched, updated ROMs have not yet shipped to Nexus devices. Among the protected devices, it's known that the patch has been applied to every variant of the Samsung Galaxy S4 and HTC One running Android 4.2.2 and above (note: most HTC Ones are still running 4.1.2). Unfortunately, it seems that most of the devices in the wild will remain vulnerable until OEMs get around to shipping security updates.

There is good news for those running CyanogenMod: earlier today the patch was merged into the codebase and will begin shipping with nightlies from this point forward. While flashing 3rd party ROMs isn't recommended for everybody, it's fair to say that fast security updates are an advantage to doing so.

In the meantime, if you are running a device that may be vulnerable to this exploit, you should be advised to only install APKs from completely trusted sources, such as the Play Store. As always, stay safe!

Source: Bluebox Blog, Al Sutton

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • mechapathy

    I know it's all FUD and everything, but that seems like the kind of thing Google should push out to Nexus devices, simply because they can.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      <cough>couldn't agree more<cough>

    • angel_spain

      Totally agree. I don't understand why OEMs can do that to their devices (sleep of death in Xperia and GS3, etc) but Google never does the same with Nexus devices.

  • Alex Flynn

    If it was patched in February, why has it taken to long to get into CM?? I know the guys are busy and do it for free, but this is almost STOPSHIP importance

    • http://www.androidpolice.com/ David Ruddock

      It wasn't public in February. The details weren't public until now, basically.

      • Alex Flynn

        But doesnt the process of Google patching it in Feb make some changes in AOSP that CM could have got 5 months ago? Or is AOSP not always up to date?

        • http://kennydude.me/ Joe Simpson

          AOSP is just the public "branch" of Android. Google tend to hide things

          • rseiler

            Since CM has an in-built update system, has it been used in the past to push out small fixes (like this one will be presumably), or do they have to push out an entire ROM update when it's ready/warranted? I do realize that the nightlies are mentioned above, but I'm just wondering strictly about the update mechanism.

          • squiddy20

            Not sure if I'm quite understanding what you're asking, so try asking again if I'm answering it wrong.
            From what I understand, even with the built in updater, you're downloading the entire ROM every time you update. For toro/toroplus devices, that's an ~160 MB download for every update you pull from the server. So if you pull a toro nightly every night for a week through the built in updater, you'd use ~1077 MB of data that week on updates alone. But there are apps (like CyanDelta updater) that only download the bits that have changed since the last installed nightly, resulting in a MUCH smaller download.

          • rseiler

            Yes, that's what I was asking, thanks.

          • Freak4Dell

            Theoretically, a new ROM build would be compiled, but only the changes would be downloaded. In reality, I find that CM's delta updates don't actually work, and the whole ROM is downloaded instead.

            However, as long as you're just installing an update, you won't have to wipe anything. Just install the update and carry on with whatever you were doing.

          • http://kennydude.me/ Joe Simpson

            It's a full rom update

          • http://www.twitter.com/ninjustin ninjustin

            The CM updater downloads a full rom not parts of it. There are apps that will download a delta which is a partial update to CM but I don't typically trust them to work better than a dirty flash.

        • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

          Think of AOSP as the "finished product," which Google only updates when it is time to go on record that a version is ready for everybody to have access to. That's not a precise definition, but it's a fairly simple and flexible way to interpret it.

          In the case of this fix, Google didn't share it right away because it would have exposed the vulnerability. By holding it back for a while, there was time to distribute the fix to OEMs who have a much longer update cycle. Since the exploit was about to be exposed publicly in less than a month (at Black Hat), it was time to share it so CM and others would have time to integrate it. Even if OEMs haven't fixed it yet, it's better for some installations to be fixed than none.

          • Freak4Dell

            I guess I can see why they did it, but I really wish Google would take a different approach to dealing with manufacturers and updates. There's no reason for a known security flaw to go unpatched and unexposed for months. We all know Google apps are the lifeblood of Android, and they really need to start using some of that muscle. I mean, I would love it if they would force manufacturers to do all updates fast, but at the very least, they should have a requirement for security patches to be released promptly. Something like this doesn't require rewriting the drivers or updating the skin, so the manufacturers simply have no good reason to not comply. If they don't comply, they should lose their membership to the OHA, no exceptions. I realize this is easier said than done, but this is not the first security flaw like this, and it won't be the last. Android is pretty much the only mainstream OS allowed to get away with this kind of stuff. People would riot if it was revealed that there was a giant security flaw in Windows, OSX, or iOS that Microsoft or Apple found , fixed, then just sat on for half a year or more. Yes, both of those companies manage updates themselves, but I think the whole open-source thing is used as a cop out way too much. I love Google, but they need to start taking some responsibility and control over their creation.

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            I agree that things can and should be better. Unfortunately, and as we all have become acutely aware, there are business factors which play into the end result. It costs quite a bit of time and money to push updates for every variant of every device, including the cost of developers, OEM and carrier testing, and customer support (because even the official updates can have a bad flash). While I hate to acknowledge it, this is a pretty reasonable time frame for the bug to be fixed. However, if security updates aren't shipping for a fair number of devices in the next few months, then we should start being more critical.

            Also, trust me, you would be appalled if you knew how many security issues go unpatched in some of the other operating systems. There was a critical vulnerability in Windows Phone 7 that came out shortly after the OS was launched, but it was never fixed. WP8 is built on a different codebase, so it was unaffected. There are countless examples of iOS security problems that weren't fixed for several updates, even a couple that were used for jailbreaking. And don't get me started on OSX and Windows.... :)

          • Freak4Dell

            The time, money, and customer support are the manufacturer's responsibility. If they can't handle the cost of doing business, they shouldn't be in business. Stuff that doesn't touch carrier software shouldn't need carrier testing. I honestly can't even remember a time when a security flaw was fixed on a large number of devices. Android manufacturers tend to either wait until they can push an update to the next version of Android, or they just completely ignore the phone altogether. Some phones do get random updates, but looking at the huge number of Android devices out there, I wouldn't call those anywhere near a "fair number".

            I know I've heard of flaws on other OSes that were never fixed, but I've never heard of any where the company found it, fixed it, then just put the fix in a drawer. Yeah, MS and Apple sometimes just don't bother fixing something, or they wait until the next software version to fix it. That's also disturbing, but in this case, Google took the time to analyze and fix the problem, then just said, "nah, forget it." That's an oversimplification, of course, but I'm just really tired of Google basically bending over backwards for manufacturers. Google and manufacturers have a symbiotic relationship, but it often seems like manufacturers are just parasites. We've seen Google flex their muscle before (e.g. in the Acer fiasco), so I want to see them use more often that to get the manufacturers and carriers in check.

          • JKeith

            I agree...to disagree. The manufacturers had nothing to do with the vulnerability in android. In any business, if a mistake is made, whether the owners fault or an employees fault, the owner has to answer for it. Ultimately its his responsibilty and a true leader would know it and take responsibilty. Google owns android and is responsible for how its built. The manufacturers of the devices have more to loose than any end user. This bug could modify manufacturers applications as well as system apps. Meaning they could access any and all permissions on the device and change system level software information normally controlled by system hardware. This means tcouget financial information about manufactureres and any of their trusted affiliates and customers. Anyone with any kind of account from social websites to corporate banks could be affected. Even the government banks if they actually had any money in them. Google needs to step up their game. This has been a problem since way before Feb. and they should have known. You can be sure of this too, its always worse than they let the public know. They tell you what you want to hear and if people start complaining to much then something bad happens on the news and everybody forgets about it. Same ol song and dance. Its all about the money.

        • Adrian Meredith

          The best way to think of it is android is not "Open Source", its "Open Sourced" whenever a new version is published. This means that rom makers don't have access to the latest builds until google does an official release

  • The Seventh Son

    There is NO excuse that this wasn't immediately pushed to stock Nexus devices via OTA by Google.. February was almost a generation ago in this life cycle.

  • MasterMuffin

    So what this allows is easy rooting for everybody, just an .apk to root every Android device? How hasn't anyone used this yet?? I bet it'd have demand!

    • jonathan3579

      Did you even read the article in its entirety?

      • MasterMuffin

        Yes, did I miss something?

        • jonathan3579

          Yes, most definitely. The purpose of this exploit is not to root your phone. Rather, probably one of the worst things about it is that it can pose and function as a normal system app all while performing malicious actions without you even knowing.

          • MasterMuffin

            I know that, but nobody thought of using it for good before it gets fixed!

          • jonathan3579

            Well, the issue here is that such an exploit can do much more harm than good especially in the wrong hands.

          • MasterMuffin

            Like any root exploid before. I hope an app dev is reading this and makes it! I rooted first time with an apk using an exploit back in gingerbread :)

          • jonathan3579

            Touché. I just don't see many devs using this exploit given the sensational treatment it's been given. (Not saying it's being done here.)

          • MasterMuffin

            One brave dev is enough because the one app could root pretty much eveything

      • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

        To be fair, he's not wrong. This would be a completely viable method to acquire root on several devices.

        Also, like many other root exploits, It will be patched out of viability on many devices with future updates. It's also a fairly safe bet that very few devices will ship with this exploit in the future.

  • CuriousCursor

    ahahahahahah, somewhere in a corner a Google developer is facepalming at the media outlets for blowing this up.

    • http://www.androidpolice.com/ Artem Russakovskii

      Well, to be fair, the bug is really severe. Like really really really severe.

      • TheRealCBONE

        Unless you don't install shady ass apks from sources you shouldn't trust.

        • http://www.androidpolice.com/ Artem Russakovskii

          Well, it's the theory behind it and the fact that anybody could come on Reddit and pretend to be a developer asking people to test his app, which in reality would install as an update to something in System. We trust the cryptographic verification to work 100% and protect us against malicious/repackaged updates, and I can think of many situations where it would be able to trick even the savvy ones into installing fake updates and not suspecting a thing.

          • http://www.techmansworld.com/ Michael Hazell

            Well I don't really browse Reddit that much and before I really test an app I have to know someone for a while or just wait for the app to be submitted to the Google Play store, which usually catches malware, backdoors, etc.

      • CuriousCursor

        Hmm, I think I misunderstood that this was patched in 4.2.2 and hence the Nexus devices.

        • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

          Unfortunately, it wasn't. The release date for 4.2.2 was February 11th. ref: http://en.wikipedia.org/wiki/Android_versions#Android_4.2_Jelly_Bean_.28API_level_17.29

          As far as I've been able to tell, the fix appears to have been written and merged into the Android source on February 18th, a week later. Since there haven't been any shipped OTAs since then, the Nexus line remains unpatched. I haven't personally tested the exploit, but I've spoken with another source that confirms the bug is present on a stock Nexus 4.

          The only reason the SGS4 and later versions of the One are patched is because they had ROMs built after that time. Due to the partner status with Google, security patches are more readily shared before they reach AOSP. As I mentioned in another comment, this is to ensure the patches can filter through the update process before the exploit is fully disclosed. Unfortunately, the shipped version of the HTC One running 4.1.2 was built before the fix existed. I'm not sure if the latest update (version 1.26.502.12) has the fix or not.

      • squiddy20

        It's severe IF you have "Unknown sources" checked, AND if you download apps from somewhere other than the Play Store, AND if you are stupid enough to go to some random website (that you don't trust) to download an app than can more than likely be gotten from the Play Store. If even the first thing isn't done, none of this applies to you. And considering most people don't even know the "Unknown sources" setting even exists, this affects only a small percentage of Android users. Those that this does affect are either smart enough to avoid the situation entirely (the common sense of avoiding apps you don't trust from sources you don't trust), or get what they deserve (pirating apps which can be infected with viruses/malware).

        Additionally, yes, the vulnerability exists. But besides the proof of concept app/script that I'm sure BlueBox Labs created, it's never been seen in the wild. As far as we know, there is no hacker that actually takes advantage of this vulnerability, especially since its existence was only revealed to the public less than a week ago.

        • http://www.androidpolice.com/ Artem Russakovskii

          Once again, I can definitely see situations where even I could be tricked into this, given the nature of the business where I install a lot of APKs. And besides the point - the sheer potential damage caused by this bug and the severity of it in theory is what makes it huge in my eyes. It's not all about whether something utilized it (remember the HTC Loggers fiasco?) but the potential.

        • SetiroN

          Yeah, nobody sideloads APKs, I mean not even 80% of XDA.

  • http://dabuxian.com/ Dabu

    I think I love CM even more now.

  • Aalok

    on your *devic*

    Surely, you meant device.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Fixed, thanks!

  • http://www.techmansworld.com/ Michael Hazell

    I'm not sure what is going to happen to low budget 2.3 devices, and 2.3 devices in general. What if the OEMs don't want to patch the exploit? Is there anything that Google can do to force a security update.

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      The good side, most of the people still using older devices happen to be the same people who aren't installing APKs from particularly untrusted sources. At least, that's true in the US. I'm more concerned that this could become a fairly legitimate issue in countries like China and India, where budget devices coincide heavily with piracy and alternative app markets.

  • Avidgamer

    Here's the concerning thing, I doubt many oems will update their phones. Let's look at how poorly htc has been with updating their phones. I doubt my vivid would get a security update from them (granted I am on cyanogenmod 10 now). There are 2 ways that this could end really, 1 (Most likely) oems update their more important phones, the one (Probably not the one x) With security enhancements, and leave all others out in the cold, 2, (Hopeful thinking) Oems update as many phones as they can to newer versions of android (Hardware capable, that is) or 3 (Entirely possible for some oems) no changes whatsoever for any devices currently availible.

    It should be mandated that any phone that can be patched will be patched, but, unfortuneately, this probably won't happen. I would love to see oems actually update their phones to newer versions of android (Any phone on ics should at lest be bumped to jellybean) but I doubt many will even get a security enhancement.

  • B M

    My Galaxy S2 is still not patched!!!

  • Matt

    So I know y'all probably get newby crap questions everyday but I have a VWgs3 with 4.4.2. So am I vulnerable? I also can't figure out how to do ROMs & all the fun stuff on my device. It is rooted with "towelroot", not sure if it's legit but my device seems to function on it. I've got ROM Toolbox Pro, SuperSU pro, Busybox pro, lucky patcher, & Xposed installer w/ Master- key security patch waiting to be engaged. If ydk, can someone please point me to someone who can help or something?