Trojanizing an Android app by adding malicious code is ridiculously simple. Using widely-available tools, anyone can deconstruct an APK file down to its source code, add a malicious module, tweak a few permissions, and reconstruct a new Trojanized app that looks just like the old one. However, detecting this chicanery is a simple matter of checking the app's digital signature. Last week, researchers from BlueBox Security reported what they called a "master key" vulnerability—a technique for Trojanizing an app without changing the digital signature. This week a Chinese researcher reports yet another way to hide Trojan code.

Digital Signature Not Broken

The whole point of digitally signing a document or file is to prove the file hasn't been modified. The process uses a form of public-key cryptography. You digitally sign a file by encrypting it with your private key. The fact that the encrypted file can be decrypted using your public key is proof that there's been no tampering. Had BlueBox found a way to actually modify a file without changing its digital signature, that would have been a staggering blow to the entire crypto industry. But they didn't.

BlueBox will report the full details of their research at the Black Hat conference in a few weeks. However, ViaForensics researcher Pau Oliva Fora has posted proof of concept code that illustrates the approach taken.

In truth, it's very, very simple. APK files are packed using a version of the widespread ZIP archiving algorithm. Most ZIP implementations won't permit two same-named files in one archive, but the algorithm itself doesn't forbid that possibility. When checking an app's digital signature, the Android OS looks at the first matching file, but when actually executing and launching the file, it grabs the last one. To Trojanize an app, then, all you need to do is shoehorn your malicious code into it using a name that already exists within the app. Fora's demonstration is just a few dozen lines of Java code.

Another Structural Attack

A Chinese researcher blogging as Android Security Squad found the demonstration intriguing and went searching for other ways to subvert the verification process. Reading the Google-translated post is a little tough, but it appears the attack relies on a Computer Science 101-level concept.

Computer programs store counting numbers in fixed-size collections of bits. For example, with eight bits you can represent numbers from 0 to 255. If it's necessary to represent negative numbers, the long-standing convention is that the leftmost bit indicates a negative number. With eight bits, then, you can also represent numbers from -128 to 127. The binary number 11111111 represents either 255 or -1, depending on whether it's intended as an unsigned or signed number.

Android Security Squad pored over the APK file header format and found a data field that's assumed to be a positive offset, but that's stored as a signed integer. Forcing this field to a specific negative value causes the APK loader to execute the malicious code, rather than the already-verified digitally-signed code. OK, it's a bit more complex, but that's roughly how it works.

Stick With Google Play

Neither of these hacks actually subverts the Android digital signature mechanism. Rather, they both take advantage of quirks in the APK structure to render the digital signature irrelevant. Also, neither of them will enable a Trojanized app to sneak past Google's analysis. Google has specifically updated Google Play to filter out Trojanized apps using the "master key" attack; even without that step, standard security would almost certainly block either type of Trojanized app.

The lesson is clear. Always get your apps from legitimate sources, always check to make sure the developer name is valid, and configure your phone so it doesn't permit installing apps from "unknown sources." Pay attention to which permissions an app requests, and be ready to abort a suspicious-looking installation. If your carrier offers an Android update, always install it. It's just common sense!

Further Reading

Security Reviews