Last week an Android exploit was discovered by security researchers in the US and China. There are two Master Key exploits – both have been patched by Google – refer to Android security bug 8219321 for further information. These exploits affect Android 1.6 and above and are only applicable if you download an app from outside Google Play Store (see bootnote).
MASTER KEY EXPLOIT 1 – REFER TO Android security bug 8219321
This exploit identified by a US security research company allows an attacker to modify the code of any app without breaking the cryptographic signature. The Android cryptographic verifier validates the first version of any duplicate file in an APK archive, but the installer extracts and installs the LAST version (duplicate).
MASTER KEY EXPLOIT 2 – REFER ALSO TO Android security bug 8219321
This exploit was identified by a Chinese researcher at the back end of last week. In this exploit an APK file can contain two versions of the classes.dex file i.e. original / hacked. It is then possible to overlap a valid version with part of a filename and the dex file becomes invisible on extraction. The container is then modified to trick Android into examining the original. The Signature check process reads a pair of values (length of filename and extra field) to determine how far to skip to obtain the actual file data. Provide a negative number, only the valid version is checked.
So what have Google fixed?
Google have applied a code fix that force values to be interpreted as positive numbers, which stops the signature check process from misreading the values (as described above). The Google patch is only currently installed on the Galaxy S4. Global mobile carriers and the Google Android Nexus range of devices have still to receive this patch. What can you do? Two things – don’t download apps outside of Play Store and if you use a rooted device, read on.
Do you use a rooted Android device?
There is a solution for rooted Android devices right now and that is you could use ReKey a FREE app available on the Play Store. This safely patches the Master Key exploit on your rooted Android device. This injects the code fix into the Android framework, but it requires elevated privileges. This app can also scan for apps that use the Master Key exploit.
Here is some interesting work on this exploit from the Androguard team.
Safe surfing folks!
Bootnote: It seems that Google hasn’t fixed these exploits on the Play Store. My colleagues at Bitdefender found apps using the Master Key exploit, but not for malicious intent.