Black Hat: Don't assume safety from "master key" Android vulnerability

Share this article:
The bug is a major threat, especially since a majority of Android users disable security features.
The bug is a major threat, especially since a majority of Android users disable security features.

The CTO who disclosed the "master key" Android vulnerability, which allows miscreants to invisibly infect any legitimate app, has presented follow-up research that reinforced how exposed users are to the threat.

At last week's Black Hat conference in Las Vegas, Jeff Forristal, CTO of Bluebox Security, warned that the bug impacting 99 percent of Android devices shouldn't be downplayed under the assumption that users know better than to download apps from untrusted sources.

He revealed that 69 percent of Android users, drawn from a sample of those in Bluebox's network, permitted app downloads from unofficial online sites. According to Forristal, the users didn't employ an Android setting on their phones that blocked app downloads from “untrusted sources.”

The finding was particularly relevant because the master key vulnerability, which was disclosed last month, allows an attacker to weaponize any clean app without altering its cryptographic signature. Modifying this digital signature serves as a red flag that an app has been tampered with.

In late July, Symantec researchers discovered the first signs of the bug being exploited in the wild when attacker infected popular games and other apps found in third-party marketplaces in China.The flaw allowed attackers to remotely control victims' phones, send premium SMS messages and disable security software on the device, all by implanting legitimate apps with malicious code.

Forristal said Bluebox's poll, which analyzed around 250,000 Android devices in its network, showcased how prevalent the threat still is to users.

"This is an even bigger problem than those Android experts think it is,” Forristal told Black Hat attendees on Thursday.

Further, Forristal said other flaws exist that give attackers similar “master key” privileges. He has noted other members of the master key vulnerability “family,” including findings from other researchers who discovered additional bugs.

Google currently has patches for the vulnerability discovered by Bluebox, along with two others said to achieve similar app takeovers (#9695860 and #8219321).

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.