bypass security software certificate white list in android l & m

Posted by trammel at 2020-02-28

Post by Gandalf

AVL mobile security team recently found that there are some problems in the signature mechanism of Android L & M system, which will cause malicious software to bypass some mobile security software using the certificate white list mechanism, resulting in being unable to be killed.

Recently, AVL mobile security team found that a class of malware has the following characteristics:

This malware has two signature files:

According to the analysis, cert.dsa is the official signature of EA Mobile game, which has been listed in the certificate white list by some mobile security software. This is generated in APK file during repackaging. Cert.rsa is the official signature of the malicious sample.

Usually, there are three files in the meta-inf folder of APK, named, cert.sf and cert.rsa/dsa/ec, which are signature files generated by using signapk.jar. Among them:

Normally, only one cert.rsa/dsa/ec signature file will be generated in an APK. However, if other signature files are added to the APK package, two or more signature files can exist at the same time.

Malware cannot be installed on Android 4. X, and Android 5. X and above can be installed successfully

Android supports DSA, RSA and EC encryption algorithms for signature: Android 4.4 api19 - java.util.jar. Jarverifier: Android 5.1 api22 - java.util.jar. Jarverifier:

Comparing the code comparison between Android 4.4 and Android 5.1, a section of verification code for verifycertificate (key) results is deleted in Android 5.1, which can result in:

Actual test:

1. Taking the interceptor a.apk as an example (June 10, 2015), 24 / 57 of VT was detected before treatment

2. The intercepted horse is repackaged and signed with EC algorithm, and the RSA certificate of a large factory is implanted:

3 upload VT test (June 10, 2015), 20 / 57 of them are detected, and four security software are bypassed:

Four and a half months later, the VT test continued (June 26, 2015). Although there are eight more manufacturers detected, there are still four security software bypassed:

Although it is not clear what kind of strategy Google deleted this code in Android L, so that only one signature file in APK can be verified and installed, it is still the same in Android m preview. But it brings some security problems to the security software that uses Android 4. X to verify and sign.

Certificate whitelist mechanism is a common way of whitelist in security software. If it is bypassed, the consequences are hard to estimate. Due to the different detection strategies of various security software, the actual test of this bypass mode does not affect the number of security software, but there are both at home and abroad, which will still cause security risks to many ordinary users, hoping that the bypassed manufacturer can fix the problem in time.

In view of the fact that the maintenance of VT is not always timely by the security manufacturers, the reference information is limited and the test is not necessarily accurate.

AVL mobile security team focuses on mobile internet security technology research and anti-virus engine development, providing powerful mobile security solutions. Welcome to our WeChat official account AVLTeam. We will publish some mobile security related information regularly, hoping to help you. Please indicate the source of Reprint: P = 2353

Article sharing address: