Major Flaw Discovered with Android’s APK Update Mechanic

Researchers at Bluebox Security have disclosed information about a major bug that affects the Android OS dating back to 1.6 – essentially 900 million devices. The folks there will reveal all of the details at the Black Hat Briefings conference in Las Vegas at the start of August, but enough has been explained already to raise our awareness.

The issue lies with Android’s APK system. Each APK is signed with a digital signature so that the OS knows it’s legitimate and coming from a proper source; if you update an app, you’re effectively installing the app again, but with a newer APK (like an .exe on Windows). What this exploit would allow someone to do is to modify a given APK file and not affect its digital signature. This is like having one key that could open any car.

Admittedly, the actual risk to you is very low if you don’t side-load apps (aka: you only download from the Play Store). Google has many protections in place to prevent malware from getting into its store, and you’d imagine it’d be pretty difficult to inject a brand-new APK on its servers to replace an old one. But the risk is there, and it needs to be patched.

Because this dates back so far, it seems very likely that older devices will remain exposed forever. All this, for apparently two simple lines of code. It sure doesn’t take much, does it?

If you see an update hit your phone or other Android device soon: update!