Hot on the heels of Bluebox's disclosure of the "Master Key" exploit, a Chinese blog has posted details of a similar vulnerability. This attack also sidesteps a bug in the signature verification step and allows seemingly innocent APKs to include a potentially dangerous payload; and like its brethren, Google has already patched the flaw and posted it to the Android Open Source Project (AOSP). The information comes to us from a China-based group (or possibly individual) calling itself the Android Security Squad. The original post is in Chinese, but a vaguely comprehensible translation can be had thanks to Google.

Initial discovery of the flaw, known as "bug 9695860," occurred as the security researcher was examining a changeset that was subtly posted to AOSP on July 3rd. The only comment for the update reads, "Values in ZIP files are unsigned," but based on code changes, the researcher was able to unearth the previously unpublicized vulnerability. Of course, since this discovery resulted from an existing fix, we know that Google already patched up the bug. We don't know if Google itself found the weakness, or if a 3rd party disclosed it without claiming credit (yet).


The nature of the exploit is fairly complicated and relies on some tricky modifications to the APK. Basically, two versions of the classes.dex file are placed inside of the package, the original and a hacked alternative. By overlapping the valid version (which begins with the characters 'dex') with part of the filename (which ends with 'dex'), it becomes invisible to the extraction process. The container is then modified to trick Android into examining the original. This bait-and-switch tactic depends on an oversight in the signature check process where the system reads a pair of values (the length of the filename and extra field) to determine how far to skip to get to the actual file data. By providing a negative number here, the valid version is checked. Google's fix for the problem was to simply force the values to be interpreted as positive numbers, making it impossible to use this particular method for misdirection.

Google's fix: red shows the original code, green is the new version.

Like the previous exploit demonstrated by Bluebox, this one relies on the Android system to perform signature verification and extraction in slightly different ways. Fortunately, there are a few limitations to this attack. To begin with, unlike the "Master Key" exploit, this one can only replace a single file, classes.dex, and only if the original is smaller than 64k. Further, the process to construct the modified APK is more precise and relies on a fairly complete knowledge about the structure of the files.

There is some unfortunate news: since the fix appears to be pretty new, it's unlikely to have propagated to any device in the wild yet, including Nexus devices and the Google Play Edition variants of the Samsung Galaxy S4 and HTC One. Given the speed with which CyanogenMod is pushing out security fixes, we can probably expect its users will be among the first to be protected. However, since Google has clearly been aware of the issue, it's likely that the Play Store is already checking apps to ensure APKs are not being distributed with this attack. In other words, keep installing apps through the Play Store and be extremely wary of any untrusted sources. While this exploit is potentially just as dangerous as the one from Bluebox, it's still more limited and future security updates will surely patch both issues at the same time, so there's not really much more to worry about from this discovery.

Source Sina [translated link], AOSP patch

Thanks, Anon

Cody Toombs
Cody is a Software Engineer and Writer with a mildly overwhelming obsession with smartphones and the mobile world. If he’s been pulled away from the computer for any length of time, you might find him talking about cocktails and movies, sometimes resulting in the consumption of both.

  • http://www.androidpolice.com/ Artem Russakovskii

    Yeah, I had it changed, it was confusing indeed.

  • krackers

    Someone at xda needs to create a universal root with this exploit....

    • PhoenixPath

      Someone needs to release an apk of the fix...

      • Wyatt Neal

        This error lies further down in the Android core. I don't think you're going to get a "One apk Fix" to resolve it.

        • PhoenixPath

          Well aware of where it is located, but if someone's going to request a root exploit from it, I can dream too, right?

    • http://www.androidpolice.com/ Artem Russakovskii

      Universal until it's patched by OEMs and Google that is.

      • krackers

        Once you have root then you can do whatever you need to preserve it (rootkeeper, etc)

        • http://www.androidpolice.com/ Artem Russakovskii

          Right, but I am saying it won't be universal for long.

          • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

            This does make me increasingly eager to see the next version of Android roll out to Nexus devices everywhere.

      • Freak4Dell

        The bright side is that most OEMs won't bother sending out an update to patch it.

    • Guillaume ‘XpLoDWilD’

      That's assuming there is a system apk with a classes.dex of less than 64K, if I read that correctly.

  • Simon Belmont

    Haha. Android Security Squad or, ASS, for short.

    But on a serious note, glad to see that people are watching out for this stuff. As always, AP has pertinent information on what's important here.

    • BetterWithRoot

      So glad we can get the ASS on this. I wonder if they make hats.

  • http://nikolaovcharski.com/ Nikola Ovcharski


  • soya

    I wonder if mobile anti virus also updated to check this kind of vulnerability

  • Dirk Rettschlag
    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      That's what I like to see! Way to stay on top of the game! :)

  • jasecs

    so much better than Kevin's posts...

  • Alex Lam

    Meh, I have TrustGo scan all my apps and since my phone takes forever to download apps, I'll never get hacked! Htc Amaze btw

  • http://www.facebook.com/mike.loney3 Mike Loney

    Hey I reported around 4 or 5 PM that this was fixed in CM. I left you guys a mail tip, but you never opened it. )-: UPDATE: My mistake. Checked my mailbox. Credit received. (-: I'm only trying to grab credit because I was actually trying to alert CM of this build, but it was already reported. Talk about quick! They fixed it in no time!

    • http://www.androidpolice.com/author/cody-toombs/ Cody Toombs

      Dirk Rettschlag, the committer for that patch, already mentioned it here in the comments earlier today. We figured it was part of the reason CM has already bumped the new version number to 10.1.2.

  • John Kuang

    I just asked my Chinese friends and they don't really use the word ass. So this is likely to be accidental, which makes it funnier.