Beware of Manipulated APK Files – Apktool Vulnerability Allows Malicious File Placement

CVSScvssV3_1: 7.8

Apktool is an open source tool used for reverse engineering Android APK files. Security researchers discovered that versions 2.9.1 and earlier of Apktool are vulnerable to a file placement attack.

The vulnerability stems from how Apktool infers the output path of resource files based on their names. A malicious actor could craft an APK file that manipulates these names to place files in desired locations on the user’s system when Apktool runs.

If the user has write access to certain folders and the attacker knows their username or current working directory, files could potentially be written or overwritten maliciously. This could allow unwanted programs or modified files to be installed.

To protect yourself, users of Apktool should update to the latest version which contains a fix for this issue. Only download APK files from official app stores or sources you trust. Be cautious of unexpected files being created or changed after inspecting an unknown APK.

Staying on top of software updates and practicing basic cybersecurity hygiene helps defend against vulnerabilities like this. While reverse engineering tools have many valid uses, it’s important to be aware of the risks if files can be manipulated during the process.