Scary tales about Android malware have been told since before people started guessing what dessert name would start with the letter 'D' (it's "Donut," in case anybody has forgotten.) Most of those claims came and went, amounting to little more than ghost stories. Unfortunately, there are a few real ghouls and goblins for which we should be afraid. Back in February, one such monster was discovered lurking about that allowed modified APKs to be installed on your device while successfully side-stepping the cryptographic signature used to prevent that very thing. The good news: Google and CyanogenMod have closed the loophole on their own ROMs, and OEMs are in the process of doing the same.
At the end of May, we posted about Jeff Forristal and his session at Black Hat USA 2013 titled "One Root To Own Them All." Known internally as Android security bug 8219321, the exploit took advantage of a discrepancy between the signature verification step and app installation, allowing for a malicious payload to be inserted into the APK and ultimately installed. The modification process relied on embedding two identically named files, only one of which is used for signature verification, while the other is executed. The really dangerous part is that even highly privileged (read: System-level) apps from OEMs and Google could be replaced through this weakness, meaning it could do virtually anything from reading private data to significantly modifying the operation of the device. A more complete explanation of the process is detailed in a post by Al Sutton, and Pau Oliva has released a proof-of-concept script that carries out the steps to properly embed a payload into an APK.
In February, the bug was responsibly disclosed to Google by Bluebox Labs, the security research team employing Mr. Forristal, and a fix was quickly implemented. While the Android codebase has since been patched, updated ROMs have not yet shipped to Nexus devices. Among the protected devices, it's known that the patch has been applied to every variant of the Samsung Galaxy S4 and HTC One running Android 4.2.2 and above (note: most HTC Ones are still running 4.1.2). Unfortunately, it seems that most of the devices in the wild will remain vulnerable until OEMs get around to shipping security updates.
There is good news for those running CyanogenMod: earlier today the patch was merged into the codebase and will begin shipping with nightlies from this point forward. While flashing 3rd party ROMs isn't recommended for everybody, it's fair to say that fast security updates are an advantage to doing so.
In the meantime, if you are running a device that may be vulnerable to this exploit, you should be advised to only install APKs from completely trusted sources, such as the Play Store. As always, stay safe!