Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

As users await permanent fixes, researchers help address Android “master key” vulnerabilities

A number of patches are being announced or released for two “master key” Android vulnerabilities discovered back-to-back this month, one which could affect 99 percent of users.

Mobile security vendor Bluebox discovered the initial “master key” vulnerability earlier this month and a second similar “master key” bug was discovered less than a week later by a Chinese individual or group referred to as Android Security Squad.

The way each vulnerability works is a bit different, but the outcome is essentially the same: Malicious users are able to alter the way Android apps work without affecting its signature. This means any changes made to an app will go undetected.  

In a Thursday interview with, Bluebox CTO Jeff Forristal made a theoretical example of the Gmail application. A person could manipulate the application and gain access to one's email account, he said, or the hacker could take it a step further and gain complete control of the device.

Forristal said Google, owner and manager of the Android operating system, has addressed the issues and released patches for most authorized Android devices. Those users who have received no update will have to reach out wait for their phone manufacturer or cellular carrier to push a fix.

“To a large extent, Google makes the source code, vendors compile it and carriers release it,” Forristal said, explaining it is a cooperative effort, and even one group can delay or prevent an update release.

Forristal speculated that Google has yet to release a patch for some phones, including their own Nexus, because Android 4.3 is right around the corner.

He meanwhile offered some mobile safety tips for users yet to receive a patch, including only downloading applications from more trustworthy outlets such as Google Play and Amazon.

Forristal also suggested downloading the free Bluebox Security Scanner application on the Google Play store, which determines if a mobile is vulnerable to “master key” flaws and if a malicious application is taking advantage of the weaknesses.

Users more comfortable with the ins and outs of their device and the Android operating system might be interested in downloading ReKey, an application designed by Northeastern University and Duo Security that recognizes the “master key” vulnerability and provides a patch.

Bluebox will go more into exactly how it uncovered the “master key” vulnerability at the Black Hat conference later this month, but Forristal said he initially encountered the bug as part of a separate, yet related investigation.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.