Android 4.4 KitKat also affected by Master Key vulnerability

Always in July 2013 the China-based group, known as Android Security Squad, uncovered a new Android master key vulnerability that allows similar exploitation of Android devices.

We come to the present day, recently Google presented Android 4.4 code named KitKat, the last version of the Google OS promise being more secure and it includes a patch for any Android Master Key vulnerability, but nothing is totally secure 😉

Security expert Jay Freeman,  also known as Saurik for Cydia Software, has announced that also Android 4.4 is affected by the Master Key vulnerability and demonstrated the vulnerability with a proof of concept exploit written in Python.

The Android Master Key Vulnerability is similar to the one reported by Android Security Squad in July, every application is signed by authors with their private cryptographic keys;

The Android’s package manager determines whether applications are allowed to share information, or what permissions they are able to obtain analyzing the certificates used to verify the author’s signature.

“Even the system software itself is signed by the manufacturer of the device; applications signed by that same key are thereby able to do anything that the system software can. Normally, this is only possible if you are the manufacturer; however, using bug #8219321, anyone could steal those signatures for their own.

A key concern this raises is that applications in the wild might be signed with the system keys of your device; while you think you are just installing a harmless game, that application would look to the package manager as if it came from the manufacturer, giving it elevated and dangerous system permissions.”

“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access & control.” stated Freeman in a past post.

Freeman’s exploit allows an attacker to gain complete access to a user’s Android handset via a modified system APK, without any modification to the his original cryptographic key, the consequence under security perspective are evident, a malware can obtain full access to Android OS and on the overall installed applications and related data.

So far no evidence of this exploit has been found in apps already available in Google Play, since now Android users haven’t been affected by the Master Key vulnerability, the eventual risk is limited to manually installing from not official stores.

Waiting for a fix for the Android Master Key vulnerability it is strongly suggested to download applications only from trusted sources avoiding third-party app stores, Freeman also announced an update for his Cydia Impactor that includes a patch for the bug.