Details: Android does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature. Android security bug 8219321. [citation-needed]
Details: APK signature verification does not check name lengths correctly, creating a difference between how the zip files are verified compared with how they are extracted which allows files in an existing APK to be replaced with new files. [saurik-19]
Exploited by RockMyMoto [androidpolice-rockmymoto]
Details: File offsets in zips are supposed to be unsigned but were interpreted as signed allowing different content to be verified from the content executed. [citation-needed]
Details: The software does not properly validate an application's certificate chain. An application can supply a specially crafted application identity certificate to impersonate a privileged application and gain access to vendor-specific device administration extensions. The vulnerability resides in the createChain() and findCert() functions of the Android JarUtils class. [securitytracker-1030654]
Google bug 13678484 [blackhat-briefing-fakeid]
Discovered by: Jeff Forristal of Bluebox [bluebox-fakeid] on: Unknown
Fixed versions: there is no single, specific “fixed” version of Android. In fact, multiple vendors are maintaining the same prior version number, and only patching the functionality. We have confirmed “fixed” versions existing within the ranges of 4.1, 4.2, 4.3, and 4.4 [bluebox-fakeid]
