Self-installation of the MTS application on Samsung devices: how could this happen
The essence of the problem has already been written here.
Summary: The “MTS Mobile Mail” application has been spontaneously established among users of some Samsung devices as part of the update process of the unrelated Samsung Social Hub application. It turned out that both applications have the same package names, which is why confusion occurred.
Under the cat, details about the update scenarios and parameters that caused this bug
')
When Android was first introduced, Symantec tried to produce several upgrade scenarios. Our goal then was to identify the required fields that will need to be tested in case of the replacement of existing applications by attackers. Thus, applications developed for Android must have a unique identifier for the software package, known as the package name. But beyond that, some more elements are required so that the application can be updated via Google Play:
Both applications used the same package name 'com.seven.Z7'. Samsung Social Hub is an application that was originally installed on some devices and was never published on Google Play. At the same time, the Samsung Social Hub app was signed by Seven, a mobile application developer.
Certificate:
However, using the same package name is not enough to become an update to another application that is not related to it. But in this case, the signature key for the MTS application also coincided. The outsource developer accidentally used the same signature as well as the name of the package for two of his products: one for Samsung and the other for MTS.
Interestingly, according to Symantec, the application 'com.sevenZ7' has been available through the Android Market since the end of 2011. But the problem arose only now, as the version numbers reached values exceeding the version of the Samsung application - and this is the last key criterion for the update.
Google has already responded to the incident, the application can no longer be downloaded via Google Play.
Summary: The “MTS Mobile Mail” application has been spontaneously established among users of some Samsung devices as part of the update process of the unrelated Samsung Social Hub application. It turned out that both applications have the same package names, which is why confusion occurred.
Under the cat, details about the update scenarios and parameters that caused this bug
')
When Android was first introduced, Symantec tried to produce several upgrade scenarios. Our goal then was to identify the required fields that will need to be tested in case of the replacement of existing applications by attackers. Thus, applications developed for Android must have a unique identifier for the software package, known as the package name. But beyond that, some more elements are required so that the application can be updated via Google Play:
- The updated application must be signed in the same way as the existing copy.
Requirements for signatures should solve the problem of random selection by independent developers of the same package name; - The versionCode and versionName parameters for the update must be larger than the existing application;
- Another frontier restricting malicious code from obtaining privileges is that the Google Play automatic update function downloads new versions only if the new application does not require more authority than the previous one.
Both applications used the same package name 'com.seven.Z7'. Samsung Social Hub is an application that was originally installed on some devices and was never published on Google Play. At the same time, the Samsung Social Hub app was signed by Seven, a mobile application developer.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1235473566 (0x49a3d49e)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = US, ST = California, L = Redwood City, O = Seven Networks, OU = Seven Networks, CN = Seven Networks
Validity
Not Before: Feb 24 11:06:06 2009 GMT
Not After: Jul 12 11:06:06 2036 GMT
Subject: C = US, ST = California, L = Redwood City, O = Seven Networks, OU = Seven Networks, CN = Seven Networks
However, using the same package name is not enough to become an update to another application that is not related to it. But in this case, the signature key for the MTS application also coincided. The outsource developer accidentally used the same signature as well as the name of the package for two of his products: one for Samsung and the other for MTS.
Interestingly, according to Symantec, the application 'com.sevenZ7' has been available through the Android Market since the end of 2011. But the problem arose only now, as the version numbers reached values exceeding the version of the Samsung application - and this is the last key criterion for the update.
Google has already responded to the incident, the application can no longer be downloaded via Google Play.
Source: https://habr.com/ru/post/141297/
All Articles