Subscribe

Second Android Master Key attack found

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Johannesburg, 16 Jul 2013
The exploit allows cyber criminals to modify legitimate apps with malware, says Threatpost.
The exploit allows cyber criminals to modify legitimate apps with malware, says Threatpost.

Researchers have uncovered another Android Master Key attack that exploits the vulnerability in the way Android reads APK files. This allows cyber criminals to modify legitimate apps with malware.

An Android application package file (APK) is a file format used to distribute and install application software and middleware onto the Android OS. An APK file contains all of that program's code, including .dex files, resources, assets, certificates, and manifest file.

According to Threatpost, Chinese researchers posted a modification of the original attack reported in early July. This new attack focuses on classes.dex apk files that are smaller than 64K. Through modifying an extra field length to 0xFFFD, they can con the integrity check into loading malware.

The way Android conducts integrity checks on APK files is used by the exploit. Hackers might store a benign and malicious version of the same file in a zip file, give them the same file name, and the benign file will pass the signature check in Android, which allows the malicious modification to be added too.

According to Bluebox, the vulnerability affects several generations of Android devices since 1.6, or "Donut" - potentially around 900 million devices.

Jeff Forristal, Bluebox CTO, says the company is able to modify executing code in the APK that is installed. He notes this is normally a red flag as that would break the signature, but Bluebox can do it by not breaking the signature. "We have the ability to update any application on a phone and get access to data. We can make a malicious Facebook update by inserting Trojan code into a real one without breaking Facebook's signature."

He explains the vulnerability is across generations and is architecture-agnostic. All that needs to be done to take over the device is an app that is platform-signed, Trojan the code and take over the device.

Threatpost added that an attacker would be able to jailbreak an Android device, or even drop a program on the device that could exfiltrate sensitive corporate data, make phone calls, send SMS messages, or even steal passwords and account information.

Forristal says the patch is a simple fix; just two lines of code in a specific location in the Android code base. Getting handset manufacturers and carriers to deliver the firmware update is the problem. Google Play, the Android market, is patched and applications downloaded from the store are safe, Forristal assures, but users should be careful of downloading APK files from third parties.

Bluebox Security has released a scanner app that allows users to check if their Android device has been patched for this vulnerability without having to contact the device manufacturer. The app also scans devices to see if there are any malicious apps installed that could take advantage of this vulnerability.

"Once we discovered the bug, we set out to create a tool to help individuals to evaluate their risk and that app is now available for free at Google Play, Amazon AppStore, and GetJar," says Forristal.

The scanner will save users time and keep them from having to do the grunt work to figure out if their device has been safely patched. If their device has not been patched, it will provide them with the information they need to ask their device manufacturer when a fix will be available, adds Forristal.

Since the initial attack last week, Google has delivered a patch to some handset makers and carriers, and plans to patch the Android Open Source Project during Black Hat, in Las Vegas.

Forristal advises caution - don't use apps from untrusted sources and stick to Google Play.

Share