Co-Authored by: Hanan Ben-nun

The AVG Mobile Security team has managed to exploit a reported vulnerability in the Android OS that is associated with the digital signature verification process. The vulnerability enables the modification of a signed APK and turns it into malware, leaving the OS blind to the change.

Attackers can exploit this vulnerability to modify any legitimate and digitally signed application and turn it into malware, which can later be used to steal data or take control of the device.

For example, by reproducing a successful hack in our labs, our researchers were able to replace the icon in an authentic and signed Gmail App without breaking the digital signature. Below you can find a screenshot of a modified Gmail application, used in Android devices, using a different icon than the original one:

It is important to note that this vulnerability does not affect applications downloaded from Google Play.

An attacker cannot use Google Play to distribute an application that was modified using this vulnerability.

However, Android users that download application from third party Android application stores, mail attachments or memory sticks are at risk.

AVG recommends that all users should verify that they have disabled downloads from Unknown Sources.  This option can be found in Settings -> Security -> Unknown sources.  Users should ensure that their device’s settings are as seen in the example below: