Skip to main content

Corresponding to the "Master Key" critical vulnerability in Android

Release Date: 25 Jul 2013 2847 Views

In July 2013, Bluebox Security research team reported their discovery of a vulnerability in Android's security model that allows a hacker to modify any APK file (Android application package file) to become a malicious Trojan without breaking the application's cryptographic signature, and unnoticed by the app store or the user.

 

The Master Key vulnerability, as mentioned in the report, is affecting 99% of Android devices. This vulnerability exists since the release of Android 1.6, and could affect any Android phone released in the last 4 years, accounting for nearly 900 million devices.

 

Cryptographic signature is used to sign data through cryptographic algorithms. All Android apps contain cryptographic signatures, which Android determines if the app is legitimate and verifies if the app has been modified. Cryptographic signature provides data integrity and verification. However, this "Master Key" vulnerability involves discrepancies in how Android app signed and verified. This can be exploited by hackers to tamper with legitimate APK file, apply all permissions of that app, access the device's information and compromise the system, without being noticed.

 

Enable "Verify Apps": Setting > Security > Verify apps

 

Google said, they have not seen any evidence of exploitation in Google Play via their security scanning tools. Google's Verify Apps provides protection for Android users. Verify Apps which is a new function of Android 4.2, verifies the apps and provides protection before installation.

 

Verify Apps

Fig) Enable "Verify Apps"

 

Install Bluebox Security Scanner to check your device

 

If your mobile phone does not have an update to Android 4.2, you may download "Bluebox Security Scanner" app from Play Store to scan your device for the "Master Key" vulnerability. The app allows you to check if your Android device has been patched for this vulnerability; show the option of installation of apps from unknown sources; and scan for any malicious apps installed that take advantage of this vulnerability.

 

Bluebox Bluebox Security Scanner

https://play.google.com/store/apps/details?id=com.bluebox.labs.onerootscanner

QR code

 

To summaries the above vulnerability in Android, HKCERT recommends Android users download and install apps via the official Play Store, and refer to Guideline of Mobile Security provided by HKCERT, to prevent infection from malicious apps.

 

Guideline of Mobile Security

 

 

Source: http://bluebox.com/corporate-blog/bluebox-uncovers-android-master-key/