Pierluigi Paganini
November 04, 2013
The Master Key vulnerability was discovered and responsibly disclosed by Bluebox Labs that demonstrated that the Android vulnerability allows app modification preserving signatures. The flaw was fixed later with Android 4.3 Jelly Bean version, Google adopted as countermeasure the modification of app submission process to the Play Store to avoid the publishing of malicious application that have been packaged using such exploit.
“Now, last night, the source code for Android 4.4 was released to AOSP, which included a patch for yet another bug, #9950697, in the signature verification of Android application packages. This bug is somewhat weaker than the previous ones, but is still sufficient to support the general exploit techniques I have described.In this article, I describe this third bug and show how it can be used, providing both a proof-of-concept implementation in Python and a new version of Impactor that adds support for this signature bug.”
“Even the system software itself is signed by the manufacturer of the device; applications signed by that same key are thereby able to do anything that the system software can. Normally, this is only possible if you are the manufacturer; however, using bug #8219321, anyone could steal those signatures for their own.
A key concern this raises is that applications in the wild might be signed with the system keys of your device; while you think you are just installing a harmless game, that application would look to the package manager as if it came from the manufacturer, giving it elevated and dangerous system permissions.”
“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control.” stated Freeman in a past post.
Freeman’s exploit allows an attacker to gain complete access to a user’s Android handset via a modified system APK, without any modification to the his original cryptographic key, the consequence under security perspective are evident, a malware can obtain full access to Android OS and on the overall installed applications and related data.
So far no evidence of this exploit has been found in apps already available in Google Play, since now Android users haven’t been affected by the Master Key vulnerability, the eventual risk is limited to manually installing from not official stores.
Waiting for a fix for the Android Master Key vulnerability it is strongly suggested to download applications only from trusted sources avoiding third-party app stores, Freeman also announced an update for his Cydia Impactor that includes a patch for the bug.
(Security Affairs – Google Master Key vulnerability, mobile)
