Android ‘Master Key’ Security Hole Puts 99% Of Devices At Risk Of Exploitation

Android ‘Master Key’ Security Hole Puts 99% Of Devices At Risk Of Exploitation

Mobile security startup Bluebox Security has unearthed a vulnerability in Android’s security model which it says means that the nearly 900 million Android phones released in the past four years could be exploited, or some 99% of Android devices. The vulnerability has apparently been around since Android v1.6 (Donut), and was disclosed by the firm to Google back in February. The Samsung Galaxy S4 has already apparently been patched.

It’s likely that Google is working on a patch for the vulnerability. We’ve reached out to the company for comment and will update this story with any response.

Bluebox intends to detail the flaw at the Black Hat USA conference at the end of this month but in the meanwhile it’s written a blog delving into some detail. The vulnerability apparently allows a hacker to turn a legitimate app into a malicious Trojan by modifying APK code without breaking the app’s cryptographic signature. Bluebox says the flaw exploits discrepancies in how Android apps are cryptographically verified and installed. Specifically it allows a hacker to change an app’s code, leaving its cryptographic signature unchanged — thereby tricking Android into believing the app itself is unchanged, and allowing the hacker to wreak their merry havoc.

The flaw is made worse if an attacker targets a sub-set of apps developed by device makers themselves, or third parties — such as Cisco with its AnyConnect VPN app — that work closely with device makers and are granted system UID access. This sub-set of apps can allow a hacker to tap into far more than just mere app data, with the potential to steal passwords and account info and take over the normal running of the phone. Here’s how Bluebox explains it:

http://techcrunch.com/2013/07/04/android-security-hole/