Google Android ZIP File Extraction classes.dex File Signature Verification Bypass
Local Access Required,
Mobile Phone / Hand-held Device
Loss of Integrity
Patch / RCS
The Android OS contains a flaw that is due to unsigned values in extracted ZIP files. With a specially crafted classes.dex file, a local attacker can bypass signature verification and replace classes.dex with a malicious version.
The vendor has released a patch to address this vulnerability. There are no known workarounds or upgrades to correct this issue. Check the vendor advisory, changelog, or solution in the references section for details.