Marketingmobile OSMobilitySecurityWorkspace

Google Android ‘Master Key’ Exploit Code Exposed

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

A proof of concept appears on GitHub but users shouldn’t panic just yet

A GitHub user has posted a “quick and dirty” proof of concept for a “master key” flaw in Google’s Android operating system that caused a palava last week.

Now the code has been posted publicly online, there are fears crooks will start exploiting the vulnerability if they haven’t already.

Android malware vampireAndroid flaw exploit

The vulnerability allows Android application packages (APKs) to be tampered with, without disturbing the cryptographic signature designed to guarantee an app’s authenticity and safety.

An attacker could insert malicious code into a legitimate APK, effectively Trojanising it, which would be particularly nasty if that APK had wide access to the OS.

Details of the flaw, which was said to affect almost all versions of Android, were not fully released by Bluebox Security as it is planning to go into more detail at the BlackHat conference later this month.

Despite not having the additional information, GitHub user poliva, or Pau Oliva of viaForensics in Spain, has posted 32 lines of code he claimed exploited the flaw to get dirty code inside an APK.

This could be bad news for Android users, but it appears many are acting to cover off the vulnerability, which was reported to Google by BlueBox in March.

CyanogenMod, a popular open source distribution of Android 4.1, has now included a patch for the vulnerability in its firmware code.

Google has not responded to a request for comment on the matter, although it is believed it has delivered a patch to device manufacturers. It is now up to them to send out patches to users.

Google has also reportedly blocked any apps that could be exploited by the flaw from its official store. But users should still be careful about trusting anything from a third-party app seller.

And there have been no reports of exploits in the wild as yet, indicating cyber criminals have not jumped on the bandwagon just yet.

Think you know everything about Android? Try our quiz!