Android Master Key Patch App Available

A new program has been released by security researchers from Duo Security and the System Security Lab at Northeastern University, designed to patch a major flaw in Android phones.

However there is a significant catch. Only phones that have already been hacked can currently apply the fix.

Warning System

The program, known as ReKey, allows users to protect their Android smartphone or tablet by modifying the two vulnerable functions to fix the flaw. Any malicious app that attempts to exploit the master key issue will not only fail to compromise the phone, but will cause the ReKey program to warn the user.

Northeastern and Duo have been collaborating on the third-party patching technology for patching Android phones for about a year, according to Jon Oberheide, co-founder and chief technology officer of mobile-protection provider Duo Security. While the two teams could exploit the vulnerability to install their software and patch any phone, they are leery of doing so, he said.

“We are a little cautious about releasing a weaponised exploit for this particular vulnerability, because there hasn’t been any public proof of concepts, so we would not want to give attackers a working exploit,” Oberheide said.

Fixing flaws in the Android mobile operating system is a slow process because multiple companies have to take part in the process. The Android development community fixes the vulnerability, an update version of the software is distributed by Google, the device manufacturers have to update their firmware and then the carriers have to test the update to make sure it does not impact their cellular network.

In the end, most phones are rarely patched, and more than half of all phones still have major vulnerabilities left unpatched, according to Duo Security’s X-Ray vulnerability scanning software.

In March, one researcher publicised vulnerabilities in Samsung’s smartphones because the company, in the researcher’s estimation, did not patch the issue fast enough.

Master Key Flaw

The master key vulnerability, discovered by researchers at startup Bluebox Security, allows an attacker to use a Trojan horse to infect other applications on the device – including OS components with system privileges – and escape detection by the software watchdog on Android that is supposed to prevent such changes. The issue affected 900 million devices at the time of its discovery, Bluebox estimated.

While Google has fixed the flaw, many phones have not yet received the patch. Given the lack of security updates for older devices, many users may never have a patched device.

“OEMs are most interested in the security of the devices right now; carriers don’t care about security, because they are not making any money,” Oberheide said. “But if OEMs can sell consumers on security – like Samsung’s Knox framework – then it can certainly help the problem.”

While Duo and Northeastern have only provided the ReKey app for jailbroken phones, it would be easy to modify it with an exploit of the vulnerability to patch the issue, the two organisations said in their description of the tool.

“If a weaponised exploit was observed being used publicly in the wild for nefarious purposes, that would ‘change our calculus’ or whatever the phrase is these days. Stay tuned,” they said in a statement.

Think you know everything about Android? Try our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

US Approves SpaceX Starlink For Planes, Trains And … Ships

US FCC regulator gives its official approval for SpaceX to use its Starlink satellite internet…

4 hours ago

Bitcoin Falls Below $19,000, But Recovers Slightly Friday

Ominous sign for crypto markets? The value of Bitcoin dropped over 6 percent to below…

6 hours ago

Meta Slashes Hiring As It Braces For Downturn – Report

CEO Mark Zuckerberg tells staff to brace for a deep economic downturn, as Meta cuts…

7 hours ago

Silicon In Focus Podcast: Connected Business

Is the definition of a ‘connected business’ very different today than it was just two…

9 hours ago

BT Disappointed As CWU Votes To Strike, Despite 5 To 8 Percent Pay Rise

First strike in 35 years after BT staff with the e Communications Workers Union vote…

24 hours ago