A security researcher has published working exploit code that allows attackers to surreptitiously turn legitimate apps running on Google's Android mobile operating system into malicious trojans. Around the same time, Google said it released a patch that helps protect users from abuse.
As previously reported, the weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven't been modified by parties other than the trusted developer. Researchers at security startup Bluebox provided high-level details of the vulnerability last week, but omitted technical details most people would need to reproduce the attack. That didn't stop developers of CyanogenMod, an alternative Android firmware version, from piecing together the available details into this bug report that identifies the conditions necessary for exploiting the vulnerability. The report also incorporates the fix from Google into the CyanogenMod code.
Working from that description, Pau Oliva Fora, senior mobile security engineer at viaForensics, published proof-of-concept code that allows anyone with a moderate level of skill to modify an existing Android app without changing the cryptographic signature that's supposed to certify it hasn't been tampered with. The 32-line exploit demonstrates the ease in exploiting the vulnerability and the consequences the flaw might have for people who install and update apps from third-party sources.