Feeds

Android MasterKey found buried in kiddie cake game on Google Play - report

Send for nurse for fear of something much, much worse

The essential guide to IT transformation

Two Google Play apps that use the so-called "MasterKey" vulnerability, albeit harmlessly, have been detected, security researchers have announced.

The Android signature vulnerability, which first came to light two weeks ago, affects the vast majority of Android smartphones and tablets, creating a means to load fake files into Android installation packages without changing the signatures.

Apps for Android come as .APKs (Android Packages), which are actually just ZIP archives. Mobile security start-up Bluebox Security discovered it was possible to pack an installation file with files whose name is the same as those already in the archive but whose arbitrary contents might easily contain malicious code.

Android's cryptographic verifier checks the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version.

Google has reportedly begun scanning apps in its Google Play Store for the MasterKey vulnerability. These scans also cover a similar flaw along the same lines that was recently discovered by Chinese security researchers.

Despite this, checks by antivirus firm BitDefender have revealed the presence of a number of apps featuring the vulnerability on the official Google Play store. The doctored apps are harmless and the abuse of the vulnerability is probably accidental, BitDefender security researcher Bogdan Botezatu explains in a blog post (extract below):

Two of the apps, Rose Wedding Cake Game – ‘air.RoseWeddingCakeGame v 1.1.0’ and Pirates Island Mahjong Free ’air.PiratesIslandMahjong v 1.0.1’, have been last updated  in mid-May and are increasingly popular with Android users. While the Pirates Island Mahjong Free has been installed by between 5,000 and 10,000 users, Rose Wedding Cake Game has between 10,000 and 50,000 installs.

There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake. In contrast, malicious exploitation of this flaw focuses on replacing application code.

One thing that is particularly interesting about today’s discovery is the fact that the two applications exhibiting this behaviour managed to make their way into the Play Store without raising any red flags. However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”.

The obvious concern is that if effective screening for the vulnerability is not even taking place on Google's official Play store, then something more potent and nasty might easily appear.

Aside from any screening, recent changes mean that Google Play Store apps are only supposed to update through the official Play update mechanisms. Google banned outside updating mechanisms two-and-a-half months ago, a move that in retrospect looks like a response to Bluebook Security's private notification that it had a problem involving Android app integrity checks back in February.

We understand the applications were reviewed but not removed by Google because they didn't do anything harmful and weren't otherwise in violation of the Android Developer Distribution Agreement.

Almost all Android devices are potentially at risk from the MasterKey flaw, since the vulnerability has existed since Android 1.6 (Donut), but only the Samsung Galaxy S4 has been patched to protect against it.

Bitdefender Mobile Security & Antivirus suite, as well as the Romanian vendor's Antivirus Free for Android, are all being updated to detect and block Android package files that abuse the MasterKey vulnerability, which might be used in attempted to distribute doctored versions of popular apps containing hidden backdoor or other malicious code.

Rival antivirus vendor Webroot has also updated its Android anti-malware software. And more protection is available with the free-of-charge ReKey application from Duo Security and Northeastern University's System Security Lab, which offers a third-party unofficial patch designed to fix the underlying vulnerability rather than detecting and blocking attempts to exploit the security hole. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
EE fails to apologise for HUGE T-Mobile outage that hit Brits on Friday
Customer: 'Please change your name to occasionally somewhere'
Time Warner Cable customers SQUEAL as US network goes offline
A rude awakening: North Americans greeted with outage drama
We need less U.S. in our WWW – Euro digital chief Steelie Neelie
EC moves to shift status quo at Internet Governance Forum
BT customers face broadband and landline price hikes
Poor punters won't be affected, telecoms giant claims
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.