Extra Field is a vulnerability in Google Android that enables cybercriminals to change the contents of any application's installation packages without damaging its digital signature. Using this vulnerability, virus makers can distribute Trojans by incorporating a malicious component in any legit or trusted application.
Dr.Web anti-virus for Android cannot eliminate this vulnerability since it is located in one of the operating system components. However, the anti-virus is able to successfully detect and remove the malicious programs that spread because of this vulnerability if any of such programs attempts to penetrate the protected device or to execute a launch on it.
Applications’ installation packages for Google Android are distributed as files with .APK extension that are basically ZIP archives containing all components required for the application’s functioning. During the installation process, they are extracted from the archive and their control sums are checked for compliance with a special list. Every application has its own digital signature.
Using the Extra Field vulnerability, cybercriminals can change the structure of the APK archive with the help of the following method: the value of one of the initial program components (for example, the classes.dex file) is added to the archive’s service field, but without the first three bytes. Simultaneously, the file is replaced with its modified version. The system accepts this latest version as the legit one and allows its installation. In spite of this vulnerability’s potential usage being limited by the size of the DEX file, which cannot exceed 65,533 bytes, cybercriminals that are interested in the attack can still use it, resorting to a harmless program or a game possessing the component of the necessary size.
The APK file contains the classes.dex file with the application’s compiled code. The title of the APK archive has some space, where the file name with the .dex extension is stored, and a so called “extra” field, where the contents of the file classes.dex and a list of the classes used by the application are stored. If the title field is shortened by three bytes, the length of the corresponding field also changes. It allows cybercriminals to include into the extra field the original classes.dex file and a malicious copy of this file, part of which will also be incorporated into the extra field. The modified field can contain malicious classes created by cybercriminals. During the installation of the application, the operating system reads the contents of this field. As a result, the classes.dex file, that is modified by cybercriminals, is installed on the attacked device.