Vulnerabilities / Threats
7/16/2013
12:04 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Users Can Patch Critical Flaw

ReKey app can be used to patch vulnerability that affects 99% of all Android smartphones and tablets, but requires rooting devices first.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
Android users can patch their devices against a critical, easily exploitable flaw in the mobile operating system thanks to a new patch developed not by handset makers or carriers, but by researchers from Northeastern University's System Security Lab and security firm Duo Security.

The two organizations Tuesday announced the release of ReKey, a free mobile app that's designed to patch the Android master key vulnerability that's present in an estimated 900 million devices that run Android and that could be exploited by attackers to take full control of a device. The app can be downloaded from a dedicated ReKey website or via Google Play.

But there's a caveat: the app works only on rooted devices.

"This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions -- like those from the phone's manufacturer or the user's service provider -- are at particular risk," said Trend Micro security researcher Jonathan Leopando in a blog post. "Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker."

[ Are Chrome users more comfortable with risk than Firefox users? Read Chrome Users More Likely To Ignore Security Warnings. ]

Bluebox Labs, which discovered the vulnerability, privately disclosed the flaw to Google in February, which quickly patched the bug in the Android Open Source Project (AOSP). Google is also now reportedly scanning apps that it distributes via Google Play for signs that they've been weaponized to take advantage of the vulnerability. But aside from a handful of devices that were built to use the latest Android operating system, carriers and handset makers have yet to issue a related Android patch to their customers and subscribers. As a result, an estimated 99% of all Android devices could be exploited via the vulnerability.

"The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem," said Jon Oberheide, CTO of Duo Security, in a statement. His firm, which provides two-factor authentication as a service, has received funding from the Defense Advanced Research Projects Agency (DARPA) for its X-Ray project, which last year found that more than 50% of all Android devices had unpatched vulnerabilities.

The likelihood of malicious attacks that exploit the master key vulnerability has lately increased. That's because, in advance of a Bluebox Labs Aug. 1 presentation at the security conference Black Hat that promised to showcase the technical details of Android security bug 8219321, enterprising security researchers used the non-technical presentation summary to begin searching for the flaw. Ultimately, the bug was detailed about 10 days ago on the forums of community-built Android firmware CyanogenMod, and last week viaForensics mobile security engineer Pau Oliva posted proof-of-concept -- albeit harmless -- exploit code to Github.

How does ReKey patch the vulnerability and protect against related exploits? "ReKey injects a small piece of code into the running Android framework. The code dynamically patches the ZipEntry and ZipFile classes to interpose on the vulnerable routines and thereby fix the root cause of the bugs," reads a FAQ on the ReKey website. "In addition to fixing the bugs, ReKey installs a warning system that alerts the user when they attempt to install an APK that abuses the vulnerabilities" -- referring to the Android app file format (APK).

As noted, however, the patch currently works only on rooted devices. "To patch the vulnerabilities on your device, ReKey requires escalated privileges," reads the FAQ. "Normal unprivileged applications on stock Android devices do not possess such privileges, hence the need for a rooted device with the Superuser (or similar) application."

While the researchers behind the project suggested that they would be able to build an app that would work on non-rooted devices, they said such functionality would require using an exploit, thus posing a "public safety" risk if attackers managed to reverse-engineer the exploit. "That being said, if a weaponized exploit was observed being used publicly in the wild for nefarious purposes, that would 'change our calculus' or whatever the phrase is these days," they said on the FAQ. "Stay tuned."

While the patch addresses the vulnerability identified by Bluebox Labs, information security researchers at Android Security Squad in China announced last week in a Chinese-language blog post (available in translation) that they'd discovered a related flaw that could also be used to modify the original APK without modifying the checksum used to verify that the app hadn't been tampered with.

The attack works by tweaking the APK's filename to add an extra field, which is then used to feed up to 64 KB of arbitrary data to the app. As a result, attackers could repackage a legitimate app to include malware, without leaving any indication that the Android file was malicious. The researchers said the flaw relates to a problem with a Java-based signature-verification routine.

Google has reportedly patched the vulnerability in the AOSP. But how long will Android users have to wait, yet again, for a fix from their carriers or handset makers?

Added July 17: Security firm Webroot said that an updated version of its free antivirus product, Webroot SecureAnywhere Mobile, released Tuesday, now also blocks the master key vulnerability. Unlike ReKey, the Android app does so without requiring a device to be rooted.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7877
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

CVE-2014-3051
Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

CVE-2014-3668
Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

CVE-2014-3669
Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

CVE-2014-3670
Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.