Posted on Wednesday, July 10 2013 @ 16:50 CEST by Thomas De Maesschalck
A couple of days ago we wrote
about a critical bug in nearly all versions of Android. Since then, a security researchers published working exploit code, and Google said it released a patch that helps protect users from Abuse. Full details
at ARS Technica.
Working from that description, Pau Oliva Fora, senior mobile security engineer at viaForensics, published proof-of-concept code that allows anyone with a moderate level of skill to modify an existing Android app without changing the cryptographic signature that's supposed to certify it hasn't been tampered with. The 32-line exploit demonstrates the ease in exploiting the vulnerability and the consequences the flaw might have for people who install and update apps from third-party sources.
"I think it's a very serious vulnerability, and everyone with an unpatched device should be cautious about what they install, especially if it doesn't come from an official distribution channel," Oliva Fora wrote in an e-mail to Ars.
