What Master Key? – Android Signature Bypass Vulnerability

By on

Recently, a vulnerability in Android package signature verification was announced by Jeff Forristal, CTO of Bluebox Security. Jeff plans on revealing details at the upcoming BlackHat Briefings at the end of this month. Though he has not released any details on his findings beyond the initial blog post more information is becoming available on how to protect yourself from this vulnerability.

What is a package signature?

Apps and Android OS updates are distributed in packages called APKs. APKs can come from the Google Play store, app stores, web sites, or directly from a PC over USB. Every app installed on an Android device must be cryptographically signed by the developer or distributor—this is the package signature. This is supposed to guarantee that the package has not been altered from the original. In addition, some signatures are special. Packages signed by the OEM may be given special privileges on the device. For example, an app signed by the OEM may be granted the ability to silently install other packages without involving the user. However, no normally installed app should be allowed to do this.

When an app or system update is installed Android verifies the package signature by checking every file in the APK against the signature to make sure that no one has altered it. Unfortunately, due to the Android Signature Bypass vulnerability, it is possible for someone to insert their own potentially malicious files into the package without Android detecting the modification.

The Attack

Using this vulnerability an attacker could modify an existing system update and users installing this update or app would unknowingly be installing executables from the attacker.  This would give the attacker full control of the device. Once installed, the attacker could intercept phone calls, send and receive SMS messages, download or upload data or even completely erase the device.

Fortunately, Google has been aware of this vulnerability since March and has taken two critical actions. The first, and most effective, was to make sure that there are no apps in Google Play that exploit this vulnerability. We can assume, too, that any new apps are also being checked. The second was to contact all of the Android OEMs to provide them with a patch that disallows duplicate files in APKs.

What can you do?

  1. Install updates – As with any vulnerability the most important thing to do is to install any and all security updates available for your device. Google notified OEMs in March and provided them with a patch for this issue. Unfortunately, there is often a significant delay between Google providing a patch and updates being available on your device. This is due both to the needs for the OEM to integrate and test the patch on all of their supported devices but also, in the case of phones, for the carrier to do the same.
  2. Use security software – Second is to install and use security software capable of inspecting apps on your device. McAfee Mobile Security, as an example, scans every app and every file on your device for viruses and malware. It will thoroughly check both the APK and the contents of the APK. This means that even if malicious files are added to a good APK MMS will still detect them. McAfee’s latest DAT update will detect any APK using this “Master Key” technique as suspicious using the name “Exploit/MasterKey.A”.
  3. Avoid untrusted app stores – Finally, you should know and trust your sources of apps. Google has stated that Play is free of apps exploiting this vulnerability. However, Play is not the only source of apps. Don’t install anything that is attached in an e-mail, from an app store, or from the web without first verifying with the sender that they really sent it and have scanned it with security software.

Leave a Comment

Similar articles

A new WhatsApp vulnerability has attracted the attention of the press and security professionals around the world. We wanted to provide some information and a quick summary. This post will cover vulnerability analysis and how McAfee MVISION Mobile can help. Background On May 13th, Facebook announced a vulnerability associated with all of its WhatsApp products. ...
Read Blog
Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security ...
Read Blog
Many of us use social media to keep our family and friends up-to-date on our everyday lives. We don’t typically expect social media companies to keep their partners updated on our every move as well. But for some Twitter users, this is exactly the situation they’ve found themselves in. On Monday afternoon, the social media ...
Read Blog