Android APK Vulnerability Now Demonstrated and Available
Less than a week ago, we posted about a newfound Android vulnerability that's not only a bit worrying, but affects potentially 900 million devices - dating all the way back to Android 1.6. The discovery and minor reveal was made by Bluebox, an up-and-comer security firm that had plans to expose all at an upcoming security conference.
It appears, however, that one github user had no plans to wait around for that. Either user "Poliva" knew about the exploit already, or could figure it out based on what Bluebox had revealed up to this point, but he's released some proof-of-concept code - and it's only a mere 32 lines deep:
Not only is this entire blurb small, the number of lines could have been easily reduced if some of the basic file system calls (cd, mkdir) were combined to a single line. That aside, the code in general is much simpler in design than I would have expected; it just appears to be a standard BASH script that any technically-inclined Linux user may write. You might have to be familiar with the underpinnings of the Android OS to understand what some of the switches do, but it appears to take an APK, extract it, run Java and Python scripts to decompile it and modify the specific code required to manipulate the security signature, and finally, it then spits out your modified APK - humorously prefaced with "evil-".
It's not often that we can see a proof-of-concept executed so easily (this script could be run from any Linux box with the appropriate scripts that it calls upon), but the real threat exists to those who use third-party app stores. Google hasn't ever recommended using these, because it simply has no control over them. By contrast, APKs on the official Play Store go through a number of scans, so while it's still possible that an infected APK like this could find its way there, it's far less likely.
What's also less likely is seeing the majority of affected devices patched up. 1.6 has long gone the way of the dodo, and even >=2.3 has been given up on by most companies. It'd be rather impressive to see a fix for anything of that era.