The Android master key vulnerability has been in existence since the Donut version of Android. This means over 99 percent of Android phones in existence are vulnerable to malicious codes from replicas of legitimate applications. However, a temporary solution has emerged where Google has taken the initiative to keep infected apps away from the app store.
Android master key bug
The Master Key bug is a vulnerability that allows attackers to infuse an existing app with malicious codes before sending it out to unsuspecting consumers, in such a way that the app behaves in the same way as the original. Researchers have found that the reason for such attacks could be the way in which the cryptographic signatures in android applications are being verified. The attackers were able to make modifications to the app without tampering with the cryptographic signature.
As a result, a good number of legitimate applications could be modified and infected with malicious code to steal passwords as well as other data from the users. Since the digital signatures belonging to an infected app and a legitimate app would remain the same, the consumers would not be able to identify the hidden threat within the app.
In a bid to thwart any further malicious attacks on android users, Google has updated their Google Play account with security checks that block any apps that make use of this exploit. As a result, consumers can be sure of being safe as long as they install apps only from Google Play. Third party downloads including apps from Amazon and Samsung pose a threat to consumers. Google has recommended android users to stay away from any third party app stores until the master key bug vulnerability has been fixed.
What can you do as a consumer?
The most important thing you can do as a consumer is look at the origin of the app. This is something that the attackers haven’t been able to mask. As a result, even if a malicious Trojan app manages to remain on Google Play despite all the security blocks, the app will not be listed in the original app owner’s account. This means, if an attacker trojanizes Angry Birds using the Master Key bug, the app will definitely not be listed under Rovio’s official Google Play account. So it would be great to take a look at the developer’s identity before downloading an app from any app store.
You can even turn off third party installations on your phone. This can be easily done by modifying your phone’s security settings to not allow installations from unknown sources. If you are using the Jelly Bean version of Android, you may be safe to a certain extent. This is because Jelly Bean has an inbuilt app scanner that scans every app downloaded from third party sources. As a result, even if you happen to install an infected app by mistake, your phone is capable of blocking the application from causing any harm. In addition to this, you can also install any one of the many security applications from Google Play that can detect suspicious code in apps.
What is being done about it?
The Master Key vulnerability has not been exploited at a large scale. That does not mean the threat doesn’t continue to persist. Mobile manufacturers are now looking at all round security solutions to their handsets. This would mean that a security module that would take care of everything from identity theft to malware protection as well as theft alert will be integrated into one system. The Master Key threat was detected in February 2013. Google immediately responded with a patch to its Open Handset Alliance. Other manufacturers have been a bit sluggish in this regard but they too are releasing firmware updates to fix this issue. However, it would take some more time before everybody has access to the patches.
Bluebox Security has been leading the race to find vulnerabilities in the Android OS. In fact they were the first to report the Master Key vulnerability. Rumors suggest that more such threats are likely to be revealed soon during the Black Hat conference that is all set to take place in Las Vegas during the month end. The Master Key vulnerability even though not fully exploited is a very serious threat that can cause serious damage by stealing your personal information. It would be best to install a firmware update as soon as you receive it.
Please Share This Knowledge With Others!
Jerry says
This sounds great I hope it will fix the problem, I have heard from the cell phone people when I went to upgrade that one of the biggest problem phones was the Droid so I didn’t get one. I would imagine the sales of this phone will be hampered if they don’t get this fixed right? Why or how did Apple come up with a way to not get malicious anything on their stuff?
Amanda says
I am glad that I do not rely on my smart phone for storing any sensitive data. I still use my laptop computer to make purchases and to connect to a portable USB hard drive to store any passwords.
Android OS is relatively new and as such, I’m sure its bugs are still being caught and plugged. This is the danger of relying too much on a new OS / platform. I download quite a few apps, but I have nothing to protect on my phone.
Mary says
Symantec researchers say the first known use of the Android Relevant Products/Services “master key” vulnerability has been found in the wild. Two applications distributed on unofficial Android marketplaces in China were found to be using the exploit.
When Symantec’s team first discussed the vulnerability earlier this month, which was identified by startup Bluebox Security, they said they expected attackers to exploit it quickly because of its ease-of-use. They appear to have been right on the mark.
William says
So is the general consumer public to understand that this so called master key vulnerability has not been fixed since the first generation of the Android phone? I guess it isn’t such a smart phone as we once thought.
Well, we shouldn’t blame it on the phone or its operating system. Those are just the products of its creators. So let’s blame the engineers and even their superiors for putting so much pressure on the developers to churn out products that they end up releasing to us untested, unsecure systems that are supposed to be capable of safeguarding our personal data.
Mitchell says
I heard about this and how the first examples of the exploit being were used in the wild. Symantec detects these applications as Android.Skullkey. They found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments. Why they chose to make doctors appointments, I have no clue.
Could it have something to do with identity theft? After all, it is medical facilities that keep all the sensitive personal information that belongs to their patients.