This is about the Master Key vulnerability allowed an attacker to create two files with the same name in an APK, which would cause the Android package manager to only verify the first file's cryptographic signature while ignoring the second file with the same name. This would allow an attacker to inject malicious code into the APK without breaking the signature, making it difficult for security measures to detect the tampering.
Google released a patch for the Master Key vulnerability shortly after it was discovered, and it's recommended that Android users keep their devices updated to the latest security patches to protect against this and other security vulnerabilities
Let’s start step by step:
At the first place we try to change content of a file in apk. To do that we open apk in winrar and then select file and open it in editor. Then we change small piece of data:
The error is:
Ok in next step, let’s calculate the hash of this file and then put it back on
MANIFEST.SF
.First we calculate hash:
Then we change the hash in
MANIFEST.SF
:
Then let’s install it:
Also we can’t add new file in this archive or delete one. But what if we add file with name which is exists in this archive?
Is it possible?
Indeed, we have the ability to do so. Let's begin. We want to add
calsses.dex
file. As you are aware, this file is contained in the APK archive. So to do that, we first add clasessz.dex
file. Then we open the APK with HxD
. Now we find classesz.dex
and rename it to classes.dex
. Then we try to install it. In android version of before 2013 it worked correctly. Because when the signing system tries to validate, it validates the first classes.dex
file and when android system want to install it, the second one will be chosen.