New Android Master Key attack revealed by Android Security Squad

Pierluigi Paganini July 17, 2013

The China-based group Android Security Squad revealed a new Android Master Key attack that exploits the vulnerability in the way the OS reads APK files allowing modification of signed legitimate apps.

The China-based group Android Security Squad found for the second time a serious vulnerability in Android master key management. In the last days it was announced that it was found an Android master key vulnerability that could be exploited by hackers to modify an app without breaking its digital signature. The repercussion is serious because an attacker could modify the code to inoculate any kind of malware bypassing every security mechanism for the almost totality of Android based smarphones. The previous flaw was revealed by Bluebox Security firm that denounced 99% of Android devices are vulnerable to the method of attack described. Google has already patched the flaw and issued it to the Android Open Source Project (AOSP).
The mechanism to evaluate a digital signature on a document is mainly used in this context to be sure that the related file hasn’t been altered.
This time the Android security is menaced by a similar flaw that may be abused for the same scope.
The Android Security Squad discovered the possibility to add malicious code into the file headers, even if the targeted files have a size smaller than 64K.
The attackers have to modify an extra field length to 0xFFFD to fool the integrity check into loading a malicious payload.
Android security master key vulnerability
Android application package file (APK) is the file format used by popular OS to distribute and install apps and middleware.
“To make an APK file, a program for Android is first compiled, and then all of its parts are packaged into one file. An APK file contains all of that program’s code (such as .dex files), resources, assets, certificates, and manifest file. As is the case with many file formats, APK files can have any name needed, provided that the file name ends in “.apk“.”
The APK files are packed using a version of the ZIP archiving algorithm, but despite almost ZIP implementations don’t allow the presence of two files having the same name in the same archive, the algorithm itself doesn’t forbid that possibility.
The attackers could insert in the same package two versions of the classes.dex file, the original one and the hacked version. The flaw is within the Android security model, in particular when the OS verifies the an app’s digital signature it analyzes only the first matching file, but when the file is executed it grabs the last one.
A hacker that desires to Trojanize an app just need  to  include its malicious code into the legitimate version using a name that already exists within the app package, the benign file will pass the signature despite the presence of malicious content.
To patch Android master key vulnerability it is possible to use the free mobile app ReKey as highlighted by the team of the TheHackerNews portal in a post.
The only way to reduce the likelihood to be infected is to install application downloaded from legitimate app stores sources.
“If you don’t know where the APK came from, it’s no different than grabbing .exes from the Net,” “Make sure you’re not using apps from untrusted sources and stick to Google Play.” said BlueBox Security CTO Jeff Forristal.
Pierluigi Paganini
(Security Affairs – Android, hacking, Android Security Squad)

you might also like

leave a comment