Android 4.4 KitKat also affected by Master Key vulnerability

Pierluigi Paganini November 04, 2013

Security expert Jay Freeman discovered another Master Key vulnerability in Android 4.4 that allows attackers to inject malicious code in legit apps.

The flaw known as “Android Master Key vulnerability” is considered a nightmare for Android OS, last July it was discovered for the first time and experts revealed that 99% of Android devices are vulnerable.
The Master Key vulnerability allows hackers to modify any legitimate and digitally signed application in order to include malicious code that can be used to steal data or to gain remote control of the mobile device.

The Master Key vulnerability was discovered and responsibly disclosed by Bluebox Labs that demonstrated that the Android vulnerability allows app modification preserving signatures. The flaw was fixed later with Android 4.3 Jelly Bean version, Google adopted as countermeasure the modification of app submission process to the Play Store to avoid the publishing of malicious application that have been packaged using such exploit.

Always in July 2013 the China-based group, known as Android Security Squad, uncovered a new Android master key vulnerability that allows similar exploitation of Android devices.
We come to the present day, recently Google presented Android 4.4 code named KitKat, the last version of the Google OS promise being more secure and it includes a patch for any Android Master Key vulnerability, but nothing is totally secure 😉
Security expert Jay Freeman,  also known as Saurik for Cydia Software,  has announced that also Android 4.4 is affected by the Master Key vulnerability and demonstrated the vulnerability with a proof of concept exploit written in Python.
“Now, last night, the source code for Android 4.4 was released to AOSP, which included a patch for yet another bug, #9950697, in the signature verification of Android application packages. This bug is somewhat weaker than the previous ones, but is still sufficient to support the general exploit techniques I have described.In this article, I describe this third bug and show how it can be used, providing both a proof-of-concept implementation in Python and a new version of Impactor that adds support for this signature bug.”
Android Master Key vulnerability exploit python
The Android Master Key Vulnerability is similar to the one reported by Android Security Squad in July, every application is signed by authors with their private cryptographic keys;
The Android’s package manager determines whether applications are allowed to share information, or what permissions they are able to obtain analyzing the certificates used to verify the author’s signature.

“Even the system software itself is signed by the manufacturer of the device; applications signed by that same key are thereby able to do anything that the system software can. Normally, this is only possible if you are the manufacturer; however, using bug #8219321, anyone could steal those signatures for their own.

A key concern this raises is that applications in the wild might be signed with the system keys of your device; while you think you are just installing a harmless game, that application would look to the package manager as if it came from the manufacturer, giving it elevated and dangerous system permissions.”

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control.” stated Freeman in a past post.

Freeman’s exploit allows an attacker to gain complete access to a user’s Android handset via a modified system APK, without any modification to the his original cryptographic key, the consequence under security perspective are evident, a malware can obtain full access to Android OS and on the overall installed applications and related data.

So far no evidence of this exploit has been found in apps already available in Google Play, since now Android users haven’t been affected by the Master Key vulnerability, the eventual risk is limited to manually installing from not official stores.

Waiting for a fix for the Android Master Key vulnerability it is strongly suggested to download applications only from trusted sources avoiding third-party app stores, Freeman also announced an update for his Cydia Impactor that includes a patch for the bug.

Pierluigi Paganini

(Security Affairs – Google Master Key vulnerability, mobile)

you might also like

leave a comment