Recently, Bluebox Security announced there is a vulnerability in Android that allows a crack to modify APK code and bypass the APK certificate mechanism. The vulnerability is named Master Keys Vulnerability and will be released by Bluebox Security at Black Hat USA 2013.
After AegisLab analysis, some of Sony and Samsung using Android 4.2 had been patched already. And here comes the technical details:
The key point is the duplicated entries of classes.dex in ZIP(APK) file. There are two classes.dex files: the modified one(07-09-2013) and the original one(03-13-2013). The modified classes.dex MUST be put before the original one.
When install a APK file, Android will check the APK's certificate. The main function is the mEntries struct of ZipFile. When reading ZIP file, it will find Zip Central Directory Entry. Make Name as index, put it to LinkedHashMap by the entry order:
LinkedHashMap will return old value and maps to the new value if index collision.
Therefor, it certificate the original classes.dex
When run a APP, here are the key steps:
Open ZIP file
Find DEX in ZIP file, USING THE ZIP ENTRY ORDER and RETURN IF MATCH.
Therefor, it will run the modified classes.dex
AegisLab Antivirus Free and Premium can detect Master Keys Vulnerability!
Keep your engine and signature up to date please.
Analyzed by Ohoh and Rex