Relax: Google, Carriers Patching Android "Master Key" Exploit

Just days ago, Bluebox Security CTO Jeff Forristal said in a company blog that a newly-discovered vulnerability in Android has resided in the platform since v1.6 "Donut" at the very least. It allows a hacker to modify APK code without breaking an application's cryptographic signature (master key). That means any legitimate app, even Android system apps and those pre-loaded by the device maker, can be turned into malware without alerting the device or the user.

"Details of Android security bug 8219321 were responsibly disclosed through Bluebox Security’s close relationship with Google in February 2013," he said. "It’s up to device manufacturers to produce and release firmware updates for mobile devices (and furthermore for users to install these updates). The availability of these updates will widely vary depending upon the manufacturer and model in question."

Now it seems that Google and wireless carriers are finally getting around to rolling out a security fix. Verizon Wireless is now issuing an OTA update from Motorola for the DROID RAZER HD and MAXX HD (pdf), but it's not the 4.2.2. update customers have been waiting for. Instead, it's a small 50 MB patch (v9.20.1.XT926) that reportedly enhances GPS reliability, data metering and Bluetooth connectivity, fixes a few SMS bugs and updates the Backup Assistant and SMARTACTIONS apps. It also supposedly fixes the four year-old "Master Key" security hole described by Forristal on the device level.

Gina Scigliano, Google's Android Communications Manager, confirmed with ZDNet that OEMs are now distributing patches to plug the Bluebox security hole. She also assured device owners that Google has not seen any signs of exploitation on Google Play and other Android app stores.

"A patch has been provided to our partners - some OEMs, like Samsung, are already shipping the fix to the Android devices," Scigliano said. "We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue - and Verify Apps provides protection for Android users who download apps to their devices outside of Play."

Computerworld's JR Raphael points out that Bluebox Security is a new "stealth" startup company that – wait for it – sells Android security software. He also points out that Google scans all apps within its official Play Store for malicious code. Google Play has already been "patched" for this exploit, meaning that no tampered apps can be uploaded to Google's servers. Amazon's Appstore may or may not be patched at this point.

That said, the possible security risk resides with side-loading apps from other Android markets. But even if Android device owners allow side-loading, they would still need to weed through multiple layers of warnings before actually installing the app. After that, Google's app-scanning system will even check those non-Play apps for vicious bugs. Google, it seems, has our back.

Now check this out: Bluebox has an app that will warn users if the "Master Key" exploit is on their phone, or if it's been patched. Talk about panic inflation.

Given that Android 4.2.2 is already out and about, many device owners are awaiting Android 4.3 "Jelly Bean" to make an appearance this month. There's a good chance Google patched the "Master Key" security bug in this build on the Android level, but a number of devices may not see the update for a while – if at all -- due to OEMs and wireless carriers dragging their feet. Issuing a small patch is a lot faster than issuing an entire OS update with added bloatware.

It was certainly easy to get caught up in the hype surrounding Bluebox's report: indeed, it still sounds a little scary. Theoretically hackers could tear open a trusted app (APK) and change the code without disturbing the cryptographic key. All Android apps are signed with this master key, and when they're updated, they must have the same key, else the old version will not be overwritten. So far there doesn't seem to be any sign that this exploit was taken advantage of, and now that window of opportunity is closing.

Still, it's curious that patches are now being distributed after the blog went live. Was it coincidence or did Google, ODMs and wireless carriers suddenly feel consumer panic? And how big of a surge did Bluebox Security see in private beta signups after the report went viral? We're betting huge.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
Comment from the forums
    Your comment
  • Cy-Kill
    Canadian carriers still haven't given the go ahead for the update here, and on a side note, neither have they for the S4 update either.
  • Cy-Kill
    Canadian carriers still haven't given the go ahead for the update here, and on a side note, neither have they for the S4 update either.
  • woodshop
    If you're dumb enough to sideload an app and you don't know the security risks, well, then that's your fault. If you're good enough to be an Android then you take security precautions anyway.