Another Android “master key” bug revealed
Posted on 07 November 2013.
Bookmark and Share
The existence of another “master key” bug that can be used to push malware onto Android users has been publicly disclosed by Jay Freeman (a.k.a Saurik), the technology consultant and security researcher who unearthed the bug around the same time as the previous two were found and disclosed in July.

Freeman didn’t go public with his knowledge then, and has instead notified Google of the flaw so that it can be fixed in the incoming update of the OS. But now, as the update is out, he shared the bug’s details in a blog post.

In short, the bug is similar to the second one found, and allows malware peddlers to exchange a legitimate, verified app with one that has had malware added to it, all without the device spotting the subterfuge and stopping it.

I won’t go deeply into the technical details, as Freeman’s post explains perfectly the problem, includes a PoC of an exploit for it, and explains how the bug can be patched. Alternatively, Sophos’ Paul Ducklin did also a bang up job explaining the bug’s intricacies.

Users who have updated their Android installation to the latest (4.4 - KitKat) version are the only ones whose devices currently can’t be compromised with malicious apps taking advantage of this flaw.

Since KitKat was released a little over a week ago, and Android updates are typically slow to reach actual devices, only Google Nexus owners are, so far, safe. Google aims to bring the majority of users up to this newest version as soon as possible, but realistic expectations and announced deadlines point mostly to updates in 2014.









Spotlight

Nine patterns make up 92 percent of security incidents

Posted on 23 April 2014.  |  Researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Apr 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //