NEWS - July 05, 2013
by Carol~ - 7/5/13 6:51 AM
Android Vulnerability Enables Malicious Updates to Bypass Digital Signatures
A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature—an action that would normally set off a red flag that something is amiss.
Researchers at startup Bluebox Security will disclose details on the vulnerability at the upcoming Black Hat Briefings in Las Vegas on Aug. 1. In the meantime, some handset vendors have patched the issue; Google will soon release a patch to the Android Open Source Project (AOSP), Bluebox chief technology officer Jeff Forristal said.
The risk to corporate users and consumers is varied. At a minimum, an Android device would be jailbroken. At worst, an attacker could inject a legitimate application with malware that could enable the attacker to read corporate data such as email, make phone calls, send SMS messages, or even retrieve passwords and account information.
Continued : http://threatpost.com/android-vulnerability-enables-malicious-updates-to-bypass-digital-signatures/
Android flaw allows hackers to surreptitiously modify apps
Android's code signing can be bypassed
Android bug allows app code change without breaking signatures
Master Key Attack 'Threatens Almost All Android Devices'