Feeds

Android MasterKey found buried in kiddie cake game on Google Play - report

Send for nurse for fear of something much, much worse

High performance access to file storage

Two Google Play apps that use the so-called "MasterKey" vulnerability, albeit harmlessly, have been detected, security researchers have announced.

The Android signature vulnerability, which first came to light two weeks ago, affects the vast majority of Android smartphones and tablets, creating a means to load fake files into Android installation packages without changing the signatures.

Apps for Android come as .APKs (Android Packages), which are actually just ZIP archives. Mobile security start-up Bluebox Security discovered it was possible to pack an installation file with files whose name is the same as those already in the archive but whose arbitrary contents might easily contain malicious code.

Android's cryptographic verifier checks the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version.

Google has reportedly begun scanning apps in its Google Play Store for the MasterKey vulnerability. These scans also cover a similar flaw along the same lines that was recently discovered by Chinese security researchers.

Despite this, checks by antivirus firm BitDefender have revealed the presence of a number of apps featuring the vulnerability on the official Google Play store. The doctored apps are harmless and the abuse of the vulnerability is probably accidental, BitDefender security researcher Bogdan Botezatu explains in a blog post (extract below):

Two of the apps, Rose Wedding Cake Game – ‘air.RoseWeddingCakeGame v 1.1.0’ and Pirates Island Mahjong Free ’air.PiratesIslandMahjong v 1.0.1’, have been last updated  in mid-May and are increasingly popular with Android users. While the Pirates Island Mahjong Free has been installed by between 5,000 and 10,000 users, Rose Wedding Cake Game has between 10,000 and 50,000 installs.

There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake. In contrast, malicious exploitation of this flaw focuses on replacing application code.

One thing that is particularly interesting about today’s discovery is the fact that the two applications exhibiting this behaviour managed to make their way into the Play Store without raising any red flags. However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”.

The obvious concern is that if effective screening for the vulnerability is not even taking place on Google's official Play store, then something more potent and nasty might easily appear.

Aside from any screening, recent changes mean that Google Play Store apps are only supposed to update through the official Play update mechanisms. Google banned outside updating mechanisms two-and-a-half months ago, a move that in retrospect looks like a response to Bluebook Security's private notification that it had a problem involving Android app integrity checks back in February.

We understand the applications were reviewed but not removed by Google because they didn't do anything harmful and weren't otherwise in violation of the Android Developer Distribution Agreement.

Almost all Android devices are potentially at risk from the MasterKey flaw, since the vulnerability has existed since Android 1.6 (Donut), but only the Samsung Galaxy S4 has been patched to protect against it.

Bitdefender Mobile Security & Antivirus suite, as well as the Romanian vendor's Antivirus Free for Android, are all being updated to detect and block Android package files that abuse the MasterKey vulnerability, which might be used in attempted to distribute doctored versions of popular apps containing hidden backdoor or other malicious code.

Rival antivirus vendor Webroot has also updated its Android anti-malware software. And more protection is available with the free-of-charge ReKey application from Duo Security and Northeastern University's System Security Lab, which offers a third-party unofficial patch designed to fix the underlying vulnerability rather than detecting and blocking attempts to exploit the security hole. ®

High performance access to file storage

More from The Register

next story
Broadband Secretary of SHEEP sensationally quits Cabinet
Maria Miller finally resigns over expenses row
Skype pimps pro-level broadcast service
Playing Cat and Mouse with the media
Beat it, freetards! Dyn to shut down no-cost dynamic DNS next month
... but don't worry, charter members, you're still in 'for life'
Like Google, Comcast might roll its own mobile voice network
Says anything's possible if regulators approve merger with Time Warner
EE dismisses DATA-BURNING glitch with Orange Mail app
Bug quietly slurps PAYG credit - yet EE denies it exists
Turnbull leaves Australia's broadband blackspots in the dark
New Statement of Expectations to NBN Co offers get-out clauses for blackspot builds
Facebook claims 100 MEEELLION active users in India
Who needs China when you've got the next billion in your sights?
Facebook splats in-app chat, whacks brats into crack yakety-yak app
Jibber-jabbering addicts turfed out just as Zuck warned
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.