Risk
7/17/2013
02:20 PM
50%
50%

Google Play Has Apps Abusing Master Key Vulnerability

Two apps currently available for download in Google Play abuse the critical master key vulnerability that affects almost all Android devices. Is Google reviewing apps for the flaw?

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Google Play alert: An information security researcher has spotted two apps that use the master key vulnerability that's present in an estimated 99% of all Android devices. But rather than being distributed by sketchy third-party app stores, which are known for harboring malicious apps that have been disguised as free versions of the real thing, these two apps are available directly from the official Google Play app store.

Fortunately, the apps don't appear to be malicious. But the presence of the free apps -- Rose Wedding Cake Game and Pirates Island Mahjong Free, which have been downloaded by between 15,000 and 60,000 people -- on the Google Play site calls into question whether Google is now scanning for apps that abuse the so-called master key vulnerability that was discovered by Bluebox Labs in February and detailed by Android hackers earlier this month, as well as a similar vulnerability that was disclosed last week by researchers at Android Security Squad in China.

"We always advise people to stick to applications that are delivered via Google Play," said Bogdan Botezatu, the senior e-threat analyst at BitDefender who discovered the apps, speaking by phone. "But we just saw applications manifesting this behavior on Google Play. So what do I advise my users and readers?"

In the meantime, he's notified Google about the apps and emphasized that "they do not pose a threat for users." In addition, he said, "We also notified the developers because at the moment we do not know if this is a voluntary behavior or if this is a side effect of them using a specific software development toolkit," which in this case was Adobe AIR. It's also possible that a simple coding mistake is to blame for the apps sporting two duplicate PNG files with the same name and extension being located in the same folder. "This is not a good practice, because the file system was not designed in such a way to allow two files with the same names and the same extension to be in the same folder -- it's going to lead to confusion," said Botezatu.

[ ReKey app patches major Android vulnerability, but devices must be rooted. Read more at Android Users Can Patch Critical Flaw. ]

Regardless, the apps won't be allowed to execute by the latest version of Android, or if users have installed antivirus or security software designed to block the master key exploit.

But given that Google was first alerted to the vulnerability in February, it's curious that its automated Bouncer application security checks didn't intercept the apps, which were last updated in mid-May and mid-June. "I'm not sure if Google Play didn't flag these applications as malicious because they didn't have malicious behavior, or if they weren't able to scan these applications for the vulnerability in Google Play," Botezatu said.

A Google spokesman didn't immediately respond to an emailed request for comment about the apps, or whether Google is now actively scanning all apps to detect if they appear to exploit the vulnerability.

From a patch standpoint, Android quickly patched the master key vulnerability in the Android Open Source Project (AOSP) after learning of the vulnerability in February, and some recently released devices -- Samsung Galaxy S4 and HTC One devices running Android 4.2.2 or above -- have a related patch. Likewise, the developers behind the third-party Android firmware CyanogenMod have updated their firmware with patches for the master key vulnerability identified by Bluebox Labs, as well as the more recent vulnerability identified by Android Security Squad.

How can other Android users protect themselves against the vulnerability? The easiest approach is to use an Android antivirus app that's been updated to block any apps that attempt to exploit the vulnerability, and both BitDefender and Webroot updated their Android antivirus software Tuesday, with Botezatu noting that BitDefender's software also includes a patch for the flaw spotted by Android Security Squad. Alternately, more advanced Android users can install ReKey from Duo Security, which will patch the vulnerability, but only on rooted devices.

Unfortunately, however, the majority of Android may have to wait months -- if ever -- to see a related operating system update for their device from their handset maker or carrier. "The thing is, not for users of Cyanogenmod, but rather who are part of the huge ecosystem that's Android 2.3.3 Gingerbread [or earlier], they are highly unlikely to receive any security updates from carriers," said BitDefender's Botezatu. "That's why we rushed the fix for our antivirus, because everyone can install an antivirus, but not everyone can upgrade their device. It's difficult for a regular user to root their phone and install a third-party ROM."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
speedo1456
50%
50%
speedo1456,
User Rank: Apprentice
7/13/2014 | 8:07:05 PM
Google taking steps to improve things?
Thumbs up for Google. Finally a big company is looking in some issues that concerns many android phone users. It took a while but maybe this is the beginning of some cleanup that had to be done inside the android market.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-1157
Published: 2015-05-27
CoreText in Apple iOS 8.x through 8.3 allows remote attackers to cause a denial of service (reboot and messaging disruption) via crafted Unicode text that is not properly handled during display truncation in the Notifications feature, as demonstrated by Arabic characters in (1) an SMS message or (2)...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

Dark Reading Radio
Archived Dark Reading Radio
After a serious cybersecurity incident, everyone will be looking to you for answers -- but youíll never have complete information and youíll never have enough time. So in those heated moments, when a business is on the brink of collapse, how will you and the rest of the board room executives respond?