by Dan Goodin, arstechnica
A security researcher has published working exploit code that allows attackers to surreptitiously turn legitimate apps running on Google’s Android mobile operating system into malicious trojans. Around the same time, Google said it released a patch that helps protect users from abuse. As previously reported, the weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven’t been modified by parties other than the trusted developer. Researchers at security startup Bluebox provided high-level details of the vulnerability last week, but omitted technical details most people would need to reproduce the attack. That didn’t stop members of CyanogenMod, an alternative Android firmware version, from piecing together the available details into this bug report that identifies the conditions necessary for exploiting the vulnerability. It also incorporates a fix from Google into the CyanogenMod code.
Share on Facebook