A serious Android vulnerability, set to be disclosed at the Blackhat conference, has now been publicly disclosed. The vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
Android applications must be digitally signed. This allows one to ensure the code within the app has not been tampered with and also assures the code was provided by the official publisher. Furthermore, Android utilizes an app-level permission system where each app must declare and receive permission to perform sensitive tasks. Digital signing prevents apps and their accompanying permissions from being hijacked.
This serious Android vulnerability allows an attacker to hide code within a legitimate application and use existing permissions to perform sensitive functions through those apps. Details of the vulnerability can now be found online and are extremely simple to implement.
Injecting malicious code into legitimate apps has...