Feeds

Android MasterKey found buried in kiddie cake game on Google Play - report

Send for nurse for fear of something much, much worse

Internet Security Threat Report 2014

Two Google Play apps that use the so-called "MasterKey" vulnerability, albeit harmlessly, have been detected, security researchers have announced.

The Android signature vulnerability, which first came to light two weeks ago, affects the vast majority of Android smartphones and tablets, creating a means to load fake files into Android installation packages without changing the signatures.

Apps for Android come as .APKs (Android Packages), which are actually just ZIP archives. Mobile security start-up Bluebox Security discovered it was possible to pack an installation file with files whose name is the same as those already in the archive but whose arbitrary contents might easily contain malicious code.

Android's cryptographic verifier checks the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version.

Google has reportedly begun scanning apps in its Google Play Store for the MasterKey vulnerability. These scans also cover a similar flaw along the same lines that was recently discovered by Chinese security researchers.

Despite this, checks by antivirus firm BitDefender have revealed the presence of a number of apps featuring the vulnerability on the official Google Play store. The doctored apps are harmless and the abuse of the vulnerability is probably accidental, BitDefender security researcher Bogdan Botezatu explains in a blog post (extract below):

Two of the apps, Rose Wedding Cake Game – ‘air.RoseWeddingCakeGame v 1.1.0’ and Pirates Island Mahjong Free ’air.PiratesIslandMahjong v 1.0.1’, have been last updated  in mid-May and are increasingly popular with Android users. While the Pirates Island Mahjong Free has been installed by between 5,000 and 10,000 users, Rose Wedding Cake Game has between 10,000 and 50,000 installs.

There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake. In contrast, malicious exploitation of this flaw focuses on replacing application code.

One thing that is particularly interesting about today’s discovery is the fact that the two applications exhibiting this behaviour managed to make their way into the Play Store without raising any red flags. However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”.

The obvious concern is that if effective screening for the vulnerability is not even taking place on Google's official Play store, then something more potent and nasty might easily appear.

Aside from any screening, recent changes mean that Google Play Store apps are only supposed to update through the official Play update mechanisms. Google banned outside updating mechanisms two-and-a-half months ago, a move that in retrospect looks like a response to Bluebook Security's private notification that it had a problem involving Android app integrity checks back in February.

We understand the applications were reviewed but not removed by Google because they didn't do anything harmful and weren't otherwise in violation of the Android Developer Distribution Agreement.

Almost all Android devices are potentially at risk from the MasterKey flaw, since the vulnerability has existed since Android 1.6 (Donut), but only the Samsung Galaxy S4 has been patched to protect against it.

Bitdefender Mobile Security & Antivirus suite, as well as the Romanian vendor's Antivirus Free for Android, are all being updated to detect and block Android package files that abuse the MasterKey vulnerability, which might be used in attempted to distribute doctored versions of popular apps containing hidden backdoor or other malicious code.

Rival antivirus vendor Webroot has also updated its Android anti-malware software. And more protection is available with the free-of-charge ReKey application from Duo Security and Northeastern University's System Security Lab, which offers a third-party unofficial patch designed to fix the underlying vulnerability rather than detecting and blocking attempts to exploit the security hole. ®

Beginner's guide to SSL certificates

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Broadband sellers in the UK are UP TO no good, says Which?
Speedy network claims only apply to 10% of customers
Virgin Media struck dumb by NATIONWIDE packet loss balls-up
Turning it off and on again fixes glitch 12 HOURS LATER
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.