A Brief OverviewThe Extra Field vulnerability exists because of a signed / unsigned error when verifying the cryptographic signature of an APK's files. In a Zip file (APKs are Zip files) there is an entry Extra Field in each file's local header (see header structure here). When checking the signature of the file, the Extra Field Length is treated as a signed short. The verifier attempts to jump over the Extra Field to the file's bytes. When set to 0xFFFD (-3) the verifier will jump 3 bytes backward into the file name (classes.dex) which shares three bytes (dex) with the start of the Dex file. The loader treats the Extra Field length correctly, as an unsigned short. So the loader will jump forward, over the Extra Field, to load the file. If you place the original Dex file, overlapping the file name, into the Extra Field it will be verified. You may then place a different Dex file in the original file's place. This injected Dex file (likely malicious) will be loaded and run without breaking the APK's signature.
The SampleChecking the files inside of Arctic.apk, it is fairly obvious that it is up to something. Inside the /assets/ folder we see the following files:
DoubleRainbow.apkThe presence of Superuser.apk indicates that Arctic will likely be rooting the device. Artic is fairly simple, it installs and runs DoubleRainbow.apk, which was originally a system package for the Kobo Status Bar. Since it is a system package, it is granted elevated privileges on the device. The Extra Field exploit allowed the author to inject custom code to be run by this package. In order to match the size of the replaced classes.dex, the injected Dex file was padded out with a 2599 byte string, "LOLOLOL...". Once executed, the custom classes.dex executes wifiScript.sh, the contents of which can be seen here:
mount -o rw,remount /systemSince DoubleRainbow.apk is running in a privileged mode, all it needs to do is copy over su and Superuser.apk.
cat /data/data/com.android.innocomm.EngineerMode/su >/system/xbin/su
chmod 6755 /system/xbin/su
cat /data/data/com.android.innocomm.EngineerMode/Superuser.apk >/system/app/Superuser.apk
chmod 644 /system/app/Superuser.apk
pm uninstall com.kobo.statusbar
ConclusionThe APK was authored by @zhuowei and can be found on their Github. None of the source code was being returned by Google since it was posted so recently. The repository was found through the author's name on Arctic.apk's certificate. As we can see from the following, the Kobo Status Bar APK (DoubleRainbow.apk) still contains the certificate issued by Jason Gamblen from Kobo Inc.
Issuer: C=CA, ST=British Columbia, L=Vancouver, O=Unknown, OU=Unknown, CN=Zhuowei ZhangWhile this APK is not malicious, it demonstrates how easy it is to gain root access using the Extra Field vulnerability. It is expected that this vulnerability and the Master Keys vulnerability will become common occurrences in Android malware.
Issuer: C=CA, ST=Ontario, L=Toronto, O=Kobo, OU=Android Team, CN=Android/emailAddressemail@example.com