[ale] Android security bug

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Fri Jul 12 10:06:15 EDT 2013


Hi all,

I thought I'd share some info about the Bluebox Security Scanner mentioned elsewhere in this thread.  I installed it after it was mentioned.  At the time, it was at v 1.2.  It did not find any malicious apps on my tablet, but said there was one encrypted that it couldn't read.  They have now upgraded it to v 1.3.  This display will not appear if you don't have any apps that are unreadable.  However, if you do, there is now an option to display the names of the items you cannot read.  So, on mine, there was one app that said com.danielhlockard.flashbrowser.  I wasn't exactly sure what that was.  I googled it and found that the human readable name of the program was Flash Browser.  That wasn't in my program listing from the google play store.  I clicked on the amazon store, which I've used once or twice.  That didn't work for a reason I'll describe below.

I went to settings, apps, all, and found Flash Browser.  I remembered the icon and the name then.  It is something I installed, but rarely use.  I didn't like the idea of it not being scannable, so, even though I don't have any reason to believe it's malicious, I uninstalled it.

I ran the scan again and the unscannable file was gone.

Just FYI, at some point in time, amazon seems to have changed the terms on their app store.  As I said, I've used them once or twice.  And, I had signed in before.  However, when I tried to activate the program this time, it wanted my credentials again, which it should have remembered.  The login screen also said by logging in, I was agreeing to the terms of service.  OK, no problem.  But, it also said that I was agreeing to enable one click.  I presume that means one click purchasing.  Well, I never use one click, and I have it disabled in my amazon account.  So, I just said heck with it and exited the program.  One reason I stopped using the amazon app store about a year ago is that they didn't have app auto update at the time.  I don't know if they do now or not.

The google play store allows auto update settings on an individual app basis, which is better than my desktop Mint installation does.  As far as I know, that auto update is all or nothing.

Sincerely,

Ron



Charles Shapiro <hooterpincher at gmail.com> wrote:

>Thank you Michael for your excellent write-up.    I probably
>over-simplified by comparing it to privilege escalation.
>
>-- CHS
>
>
>On Thu, Jul 11, 2013 at 5:23 PM, Michael H. Warfield
><mhw at wittsend.com>wrote:
>
>> Ok...  I guess I better chime in on this one before the rumors get
>too
>> out of hand...
>>
>> On Sat, 2013-07-06 at 10:38 -0400, Charles Shapiro wrote:
>> > Be careful out there.
>> > (
>http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/).
> This basically means that it's possible to grab an application from
>> Google Play and undetectably modify it to do Evil.  It's more-or-less
>the
>> equivalent of a privilege escalation exploit in Unix.  Nothing in the
>wild
>> yet.
>>
>> No.  It is NOT a "privilege escalation exploit".  Yes, a malware
>author
>> could take a signed, packaged, app and modify the app in a way that
>> includes the malware and appears to be properly signed.  But it still
>> runs as the permissions and ownership of the original app.  There's
>no
>> privilege escalation involved.  If the app happens to be one of the
>apps
>> from the handset manufacturer or carrier which carries elevated
>> privileges then, yes, you would get those elevated privileges of that
>> app.
>>
>> Its a bug in the way Android checks the apks.  An apk is just a zip
>file
>> with a series of signed files.  The flaw occurs if the zip file
>contains
>> more than one entry with the same exact name (and, presumably, path).
>> In that case, Android loads the first file but only checks the
>signature
>> on that LAST file.  OOOPPPSSS...  Epic fail.
>>
>>
>>
>http://news.techworld.com/mobile-wireless/3456734/proof-of-concept-exploit-available-for-android-app-signature-check-vulnerability/
>> https://jira.cyanogenmod.org/browse/CYAN-1602
>>
>> The exploit is to take a known good app and unpackit it using
>apktool.
>> then replace the files you want to trojan and rebuild the apk.  Then,
>> using a "zip" that will support it (the author of some PoC code used
>a
>> python routine), append the original files to the new zip after the
>> trojaned ones.  Voila.  Less that 3 dozen lines of shell code.
>>
>> https://gist.github.com/poliva/36b0795ab79ad6f14fd8
>>
>> Google has already implemented scanning of all the apps in the Play
>> store and no legitimate app should have multiple files of the same
>name
>> in the apk so it's pretty simple to scan for.  The fix for Android is
>to
>> prohibit any apps with duplicate file names in the apk.  Google has
>> deployed the patch to vendors and it's even already in all the
>branches
>> of CyanogenMod
>>
>> Advise...  Don't sideload apps or enable untrusted sources unless you
>> really REALLY know what you're getting.
>>
>> >
>> > -- CHS
>> >
>>
>> Regards,
>> Mike
>> --
>> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>>    /\/\|=mhw=|\/\/          | (678) 463-0932 |
>> http://www.wittsend.com/mhw/
>>    NIC whois: MHW9          | An optimist believes we live in the
>best of
>> all
>>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure
>of it!
>>



--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com
Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3
Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU




More information about the Ale mailing list