cbcvebase.
CVE-2013-4787
published 2013-07-09

CVE-2013-4787: Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.92%
99.0th percentile
Android 1.6 Donut through 4.2 Jelly Bean does not properly check cryptographic signatures for applications, which allows attackers to execute arbitrary code via an application package file (APK) that is modified in a way that does not violate the cryptographic signature, probably involving multiple entries in a Zip file with the same name in which one entry is validated but the other entry is installed, aka Android security bug 8219321 and the "Master Key" vulnerability.

Affected

31 ranges· showing 25
VendorProductVersion rangeFixed in
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid
googleandroid

Detection & IOCsextracted from sources · hover to see the quote

filenameevil-$APK
filenamepoc.py
commandjava -jar apktool.jar d $APK out
commandjava -jar apktool.jar b out out.apk
  • Detect APK ZIP files containing duplicate filenames (same entry name appearing more than once) — one entry is validated by signature verification while the other is installed, which is the core exploit primitive.
  • Flag APK files where a ZIP append operation has been performed (e.g., via Python zipfile 'a' mode) to inject unsigned duplicate entries after the signed content.
  • Monitor for PoC script patterns: shell scripts invoking apktool to decompile/recompile an APK followed by ZIP manipulation to append original entries into the rebuilt package.
  • Inspect APK files for the Android Master Key bug 8219321: presence of duplicate ZIP entries where the second (appended) entry shadows the first during installation but the first was used for signature validation.
  • ·Affected Android versions span 1.6 Donut through 4.2 Jelly Bean; devices running versions outside this range or with vendor patches for bug 8219321 are not vulnerable.
  • ·The vulnerability does not require the APK's cryptographic signature itself to be broken — the APK passes signature verification because the validated entry is legitimate; only the installed (duplicate) entry is malicious.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.