New Android Master Key attack revealed by Android Security Squad

The China-based group Android Security Squad revealed a new Android Master Key attack that exploits the vulnerability in the way the OS reads APK files allowing modification of signed legitimate apps.

The China-based group Android Security Squad found for the second time a serious vulnerability in Android master key management. In the last days it was announced that it was found an Android master key vulnerability that could be exploited by hackers to modify an app without breaking its digital signature. The repercussion is serious because an attacker could modify the code to inoculate any kind of malware bypassing every security mechanism for the almost totality of Android based smarphones. The previous flaw was revealed by Bluebox Security firm that denounced 99% of Android devices are vulnerable to the method of attack described. Google has already patched the flaw and issued it to the Android Open Source Project (AOSP).
The mechanism to evaluate a digital signature on a document is mainly used in this context to be sure that the related file hasn’t been altered.
This time the Android security is menaced by a similar flaw that may be abused for the same scope.
The Android Security Squad discovered the possibility to add malicious code into the file headers, even if the targeted files have a size smaller than 64K.
The attackers have to modify an extra field length to 0xFFFD to fool the integrity check into loading a malicious payload.
Android application package file (APK) is the file format used by popular OS to distribute and install apps and middleware.
“To make an APK file, a program for Android is first compiled, and then all of its parts are packaged into one file. An APK file contains all of that program’s code (such as .dex files), resources, assets, certificates, and manifest file. As is the case with many file formats, APK files can have any name needed, provided that the file name ends in “.apk“.”
The APK files are packed using a version of the ZIP archiving algorithm, but despite almost ZIP implementations don’t allow the presence of two files having the same name in the same archive, the algorithm itself doesn’t forbid that possibility.
The attackers could insert in the same package two versions of the classes.dex file, the original one and the hacked version. The flaw is within the Android security model, in particular when the OS verifies the an app’s digital signature it analyzes only the first matching file, but when the file is executed it grabs the last one.
A hacker that desires to Trojanize an app just need  to  include its malicious code into the legitimate version using a name that already exists within the app package, the benign file will pass the signature despite the presence of malicious content.
To patch Android master key vulnerability it is possible to use the free mobile app ReKey as highlighted by the team of the TheHackerNews portal in a post.
The only way to reduce the likelihood to be infected is to install application downloaded from legitimate app stores sources.
“If you don’t know where the APK came from, it’s no different than grabbing .exes from the Net,” “Make sure you’re not using apps from untrusted sources and stick to Google Play.” said BlueBox Security CTO Jeff Forristal.
Pierluigi Paganini
(Security Affairs – Android, hacking, Android Security Squad)
Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

6 minutes ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

2 hours ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

3 hours ago

Nova Scotia Power discloses data breach after March security incident

Nova Scotia Power confirmed a data breach involving the theft of sensitive customer data after…

13 hours ago

Coinbase disclosed a data breach after an extortion attempt

Coinbase confirmed rogue contractors stole customer data and demanded a $20M ransom in a breach…

16 hours ago

U.S. CISA adds a Fortinet flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…

1 day ago