Master Key Attack ‘Threatens Almost All Android Devices’

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Researchers claim they can alter an Android application’s code without affecting the signature used to check the software’s validity

Attackers could exploit a vulnerability in how Android applications are checked for security to take full control of a mobile device, and almost all Android versions are affected, it has been warned.

The flaw, which affects any version of Android released in the last four years, would allow a hacker to change Android application packages (APKs) without altering the app’s cryptographic signature, according to security start-up BlueBox.

That means they could add malicious code to Trojanise official applications and, crucially, bypass security mechanisms on Android devices and on the Google Play store, which check the validity of cryptographic signatures whenever an app is updated. It gives attackers a “master key” into Android devices, the security firm claimed.

Difficult Android attack

broken-androidAn attack would still be fairly hard to pull off, however, given that attackers would have to either issue an update on a target’s phone somehow, possibly by sending a phishing email, or create a clone app with the right signature and then inject their malicious code.

As it is believed Google has blocked any apps that could be exploited by the flaw from its official store, it would be tricky for attackers to get modified APKs on the Play platform.

If attackers placed their rogue app on third-party stores, which traditionally have laxer security protections, they might have more success.

No reports of attacks in the wild have been reported thus far, however, and BlueBox has not revealed full details of the vulnerability.

It is believed Android partners would have been told some time ago, as the flaw was responsibly disclosed back in February, so device manufacturers should have updated their firmware to cover off the flaw.

Google had not responded to a request for comment at the time of publication.

Impact could be huge…

If attackers could get over the various hurdles, the impact would be massive, as BlueBox CTO Jeff Forristal noted in his blog post on the  flaw, more details of which are to be announced at the Black Hat event taking place in later this month.

The flaw would be particularly problematic if attackers were able to Trojanise apps made by device makers, as they often have low-level access to devices.

“While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) – that are granted special elevated privileges within Android – specifically System UID access,” Forristal wrote.

“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed.

“The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).”

Think you know everything about Android? Try our quiz!