Researchers are sounding alarms over the discovery of yet another security vulnerability in the Android mobile platform.
The flaw, first spotted by researchers in China, would potentially allow an attacker to manipulate an otherwise legitimate Android APK to execute malicious code without detection by the system.
According to researchers at Sophos, the vulnerability itself lies in the way Android handles the compressed APK files themselves. By modifying an application's .dex file to be a certain size, an attacker could potentially instruct the system to skip the execution of legitimate code and instead run attack code.
The result, says Sophos researcher Paul Ducklin, is a method which could allow malware writers to modify and redistribute applications with their attack code embedded inside.
“That's a bug in any language, and a discomfiting one for Google, whose security teams will surely consider this an elementary mistake that ought to have been caught in testing, if not during code review,” said Ducklin.
The discovery of the flaw comes in the wake of another high-profile security disclosure for the Android platform. Known as the 'master lock' vulnerability, that flaw afflicts around 99 percent of Android devices.
According to Ducklin, the new security hole is not likely to be as prevalent. He noted that implementing the attack requires files to be a specific size and length as well as a certain name. He noted that many Android applications do not appear to be compatible with the attack technique.
The flaw has already been addressed by Google and can be patched by installing the latest firmware updates from the company.
As Ducklin noted, however, the Android ecosystem, which relies on hardware vendors to distribute updates, could leave many users running devices that are still vulnerable to attack.
“Although Google has indeed responded quickly by patching both holes, and should be commended for its efficiency, that doesn't get the fixes out into the wider world,” he said.
“It remains to be seen how hard Mountain View will lean on its many handset licensees to push out firmware updates for the 'extra field' and 'master key' flaws, since they go to the heart of application verification on the Android platform.”