Exploit.APKDuplicateName in virus library:

Android applications possessing the “Master Key” vulnerability (CVE-2013-4787) or the “Extra Field” vulnerability are detected as Exploit.APKDuplicateName.

The first vulnerability is related to the routine of handling programs during the installation. In particular, if an APK package contains two files with the same name (for example, two classes.dex files) in one subfolder, the operating system verifies the digital signature of the first file leaving the second file unattended. However, this second file will be the one used for the installation. In other words, by creating such an APK package, cybercriminals can add malicious code to any legitimate application. This way, the digital signature of the program will not be changed and users will not suspect anything.

Dr.Web Anti-virus detects all Android applications possessing the “Master Key” vulnerability as Exploit.APKDuplicateName with no regard to whether this vulnerability is just a developer’s mistake or it is introduced on purpose.

The second vulnerability exploits the error in the processing method of APK packages’ digital signatures. It is well known that APK files are, in fact, ZIP archives containing all components of an Android application, including the classes.dex file. These archives can have an extra field where various additional information is stored. Cybercriminals can exploit this property by entering the value of 65,533 bytes in this filed and adding the original DEX file without the first three bytes. At that, the original file is replaced with its modified version. When such an APK file is installed, the operating system processes the ZIP archive by verifying the digital signature of the original DEX file. However, only the second classes.dex file, with which the original file is replaced, will be used for the installation.

“Master Key” and “Extra Field” vulnerabilities have been already eliminated by Google engineers. However, issuing of further updates for Android mobile devices becomes now a responsibility of their corresponding manufacturers. Taking into account the fact that a large number of mobile devices in the market are no longer supported by their manufacturers, it is highly likely that the mentioned vulnerabilities in those devices will never be fixed. Still, we recommend you to install all official updates right after they are issued and regardless of the production date of your mobile device.