The new vulnerability in Android phones, codenamed ‘Master Key’, allows installed apps to be modified without its user awareness. Existed since Android 1.6, it affects 99% of Android devices or potentially up to 900 million smartphones.
The vulnerability was first publicly disclosed by the Jeff Forristal, CTO of Blubox. It allows cybercriminals to inject malicious code into legitimate apps without invalidating the digital signature.
Google has since released a patch for the Android operating system and provided it to carriers and device manufacturers. However due to the fragmented nature of the Android ecosystem it is likely to take quite a while for most people to receive the update.
Some Q&A taken from Trend Micro, an online security vendor:
What’s this “master key” vulnerability?
The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route. An app can only be updated if the new version has a matching signature from the same developer.
This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.
Note that technically, there is no “master key” that has been breached. Yes, any app can be modified and used for malicious purposes, but there’s no “master key” in the first place.
What are the risks?
This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk.
Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified/Trojanized app for a bank would continue to work for the user, but the credentials would have been sent to an attacker.
What can Android users do to protect them self?
Users are strongly advised to download apps only from Google Play Store. Google has modified the backend of their online store so that apps that try to exploit this problem are blocked. Thus, users who do not download apps from third-party stores or sideload APK files should not be at risk from this threat.
At the moment, mobile security software such the ones from Trend Micro and Norton by Symantect protects Android users from this threat.
[Source 1]– Trend Micro
[Source 2]– Symantec