Another Master Key vulnerability discovered in Android 4.3
Earlier this year, in the month of July it was first discovered that 99% of Android devices are vulnerable to a flaw called "Android Master Key vulnerability" that allow hackers to modify any legitimate and digitally signed application in order to transform it into a Trojan program that can be used to steal data ortake control of the device.
The vulnerability was also responsibly disclosed to Google back in February by Bluebox and but the company did not fix the issue even with Android 4.3 Jelly Bean. Later, Google has also modified its Play Store’s app entry process so that apps that have been modified using such exploit are blocked and can no longer be distributed via Play.
Then after a few days, in the last week of July this year, Android Security Squad, the China-based group also uncovered a second Android master key vulnerability similar to the first one.
Security researcher Jay Freeman has discovered yet another Master Key vulnerability in Android 4.3, which is very similar to the flaw reported by Android Security Squad in July.
Jay Freeman, perhaps better known as Saurik for Cydia Software, an application for iOS that enables a user to find and install software packages on jailbroken iOS Apple devices such as the iPhone.
He demonstrated the flaw with a proof of concept exploit, written in Python language.
On Android, all applications are signed by their developers using private cryptographic keys; it is by comparing the certificates used to verify these signatures that Android's package manager determines whether applications are allowed to share information, or what permissions they are able to obtain.
Even the system software itself is signed by the manufacturer of the device and the applications signed by that same key are thereby able to do anything that the system software can.
Jay Freeman, perhaps better known as Saurik for Cydia Software, an application for iOS that enables a user to find and install software packages on jailbroken iOS Apple devices such as the iPhone.
He demonstrated the flaw with a proof of concept exploit, written in Python language.
On Android, all applications are signed by their developers using private cryptographic keys; it is by comparing the certificates used to verify these signatures that Android's package manager determines whether applications are allowed to share information, or what permissions they are able to obtain.
Even the system software itself is signed by the manufacturer of the device and the applications signed by that same key are thereby able to do anything that the system software can.
Like the previous master key bugs, Saurik's exploit allows a hacker to gain complete access to your Android device via a modified system APK, with its original cryptographic key being untouched.
This way the malware can obtain full access to Android system and all applications (and their data) with dangerous system permissions.
Users are advised to download apps or app updates only from trusted sources, preferably from official sources or app stores. Saurik has also updated his Cydia Impactor for Android to include a patch for this bug.
Recently, the source code for Android 4.4 was released in Android Open Source Project, which included a patch for all previously known Android Master Key vulnerabilities.
Update: We have updated the story, and made some correction after Saurik comment, 'the bug I am describing is a bug in Android 4.3, not Android 4.4. The fix for it was included in the code release for Android 4.4, and since it is now disclosed there is no harm to the open device community to describe the bug in public; devices that currently have no exploit are there by now exploitable.'
Thank you!