Apps exploiting Android “Master Key” bug offered on Google Play
Posted on 18 July 2013.
Researchers from security firm Bitdefender have unearthed two relatively popular apps on Google Play that leverage the infamous Android “Master Key” bug, but luckily for users who downloaded them, the app developers have no malicious intent.


"The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake," explained Bogdan Botezatu. "In contrast, malicious exploitation of this flaw focuses on replacing application code."

The bug, which was recently discovered by researchers from Bluebox Security, and a similar one flagged by a user of a Chinese forum allow malicious individuals to modify the code of any app without breaking its cryptographic signature and pass malware off as legitimate apps.

But even though both vulnerabilities have already been fixed by Google and the patch given out to device manufacturers, it will take considerable time for all of them and the various carriers to distribute a patch to its users.

A week ago Bluebox has created and made available for download an app for detecting whether users' Android installation has already been patched or still sports the vulnerability, whether their system settings allow non-Google Market application installs, and whether they have already installed one or more apps that take advantage of the flaw.

But researchers from Northeastern University's System Security Lab and Duo Security have created something even better: ReKey, a mobile app that "takes the upstream patch from Google and deploys it in a safe and non-destructive manner on your device."

Currently in beta, the app works only on rooted devices as it injects a small piece of code into the Android framework and that requires escalated privileges. The app also detects apps abusing the “Master Key” vulnerabilities if the user attempts to install them

This can be very useful because, as Bitdefender has pointed out, "two applications with this behavior managed to make their way into the Play Store without raising any red flags" - despite Bluebox CTO Jeff Forristal claiming that Google has made that impossible.









Spotlight

Hackers indicted for stealing Apache helicopter training software

Posted on 1 October 2014.  |  Members of a computer hacking ring have been charged with breaking into computer networks of prominent technology companies and the US Army and stealing more than $100 million in intellectual property and other proprietary data.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //