Presentation Material
Abstract
Are you fascinated by the intricacies of Android binaries and eager to push the boundaries of what you can achieve with them? Do you want to explore techniques to evade detection and enhance the capabilities to perform covert communication? Then this talk is tailor-made for you.
In this talk, we will be diving into the world of Signature Schemes (v1, v2, v3) used in Android APKs and the misuse of their shortcomings. We will show how you can change an Android APK binary without breaking its signature.
We will also talk about the potential use cases of this technique, both malicious and non-malicious. As part of the malicious use case, we will show how malicious data goes undetected through AVs when embedded in the legit applications downloaded from Play Store while still preserving its signing signature and how it is also an effective technique to create variations of malware with lower detection count with the example of Pegasus malware.
AI Generated Summary
The presentation introduces “Android Sigmar” (signature morphing), a technique for modifying Android APK files without invalidating their cryptographic signatures. The core research focuses on exploiting unprotected regions within the APK Signing Block introduced in Android’s V2 and V3 signing schemes.
Key findings reveal that while the V2 scheme protects the main APK contents (ZIP entries, central directory), several optional blocks within the APK Signing Block—such as VAR padding, Source Stamp, Google Play Frosting, and dependency info—are not covered by the signature digest. These blocks can be altered or replaced via hex editing. Furthermore, the End of Central Directory offset, which must be updated when the APK Signing Block is inserted, is also unprotected. This allows an attacker to append arbitrary data to the APK, even in the absence of optional blocks, by correctly adjusting the signing block size and central directory offset.
The technique was demonstrated by modifying the VAR padding block in a legitimate Facebook APK; the signature remained valid despite the changes. A survey of Play Store and malware samples showed the VAR padding block is ubiquitous, as it is added by default by the official apksigner tool. Practical implications are dual-use: benign applications include watermarking or reproducible builds, while malicious uses involve evading detection. By appending malicious payloads or bloating APK size (e.g., increasing a 64KB Pegasus sample to 100MB), static hash-based detections and some sandboxing tools are bypassed, as the original signature still verifies. Covert communication channels can also be established by embedding data in signed, trusted applications. The research concludes that signature morphing undermines assumptions of APK integrity post-signing, particularly for V2/V3 schemes, and highlights a gap in current verification logic that only validates protected segments.