Feeds

Android MasterKey found buried in kiddie cake game on Google Play - report

Send for nurse for fear of something much, much worse

Providing a secure and efficient Helpdesk

Two Google Play apps that use the so-called "MasterKey" vulnerability, albeit harmlessly, have been detected, security researchers have announced.

The Android signature vulnerability, which first came to light two weeks ago, affects the vast majority of Android smartphones and tablets, creating a means to load fake files into Android installation packages without changing the signatures.

Apps for Android come as .APKs (Android Packages), which are actually just ZIP archives. Mobile security start-up Bluebox Security discovered it was possible to pack an installation file with files whose name is the same as those already in the archive but whose arbitrary contents might easily contain malicious code.

Android's cryptographic verifier checks the first version of any repeated file in an APK archive, but the installer extracts and deploys the last version.

Google has reportedly begun scanning apps in its Google Play Store for the MasterKey vulnerability. These scans also cover a similar flaw along the same lines that was recently discovered by Chinese security researchers.

Despite this, checks by antivirus firm BitDefender have revealed the presence of a number of apps featuring the vulnerability on the official Google Play store. The doctored apps are harmless and the abuse of the vulnerability is probably accidental, BitDefender security researcher Bogdan Botezatu explains in a blog post (extract below):

Two of the apps, Rose Wedding Cake Game – ‘air.RoseWeddingCakeGame v 1.1.0’ and Pirates Island Mahjong Free ’air.PiratesIslandMahjong v 1.0.1’, have been last updated  in mid-May and are increasingly popular with Android users. While the Pirates Island Mahjong Free has been installed by between 5,000 and 10,000 users, Rose Wedding Cake Game has between 10,000 and 50,000 installs.

There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake. In contrast, malicious exploitation of this flaw focuses on replacing application code.

One thing that is particularly interesting about today’s discovery is the fact that the two applications exhibiting this behaviour managed to make their way into the Play Store without raising any red flags. However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”.

The obvious concern is that if effective screening for the vulnerability is not even taking place on Google's official Play store, then something more potent and nasty might easily appear.

Aside from any screening, recent changes mean that Google Play Store apps are only supposed to update through the official Play update mechanisms. Google banned outside updating mechanisms two-and-a-half months ago, a move that in retrospect looks like a response to Bluebook Security's private notification that it had a problem involving Android app integrity checks back in February.

We understand the applications were reviewed but not removed by Google because they didn't do anything harmful and weren't otherwise in violation of the Android Developer Distribution Agreement.

Almost all Android devices are potentially at risk from the MasterKey flaw, since the vulnerability has existed since Android 1.6 (Donut), but only the Samsung Galaxy S4 has been patched to protect against it.

Bitdefender Mobile Security & Antivirus suite, as well as the Romanian vendor's Antivirus Free for Android, are all being updated to detect and block Android package files that abuse the MasterKey vulnerability, which might be used in attempted to distribute doctored versions of popular apps containing hidden backdoor or other malicious code.

Rival antivirus vendor Webroot has also updated its Android anti-malware software. And more protection is available with the free-of-charge ReKey application from Duo Security and Northeastern University's System Security Lab, which offers a third-party unofficial patch designed to fix the underlying vulnerability rather than detecting and blocking attempts to exploit the security hole. ®

Security for virtualized datacentres

More from The Register

next story
TEEN RAMPAGE: Kids in iPhone 6 'Will it bend' YouTube 'prank'
iPhones bent in Norwich? As if the place wasn't weird enough
Consumers agree to give up first-born child for free Wi-Fi – survey
This Herod network's ace – but crap reception in bullrushes
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
New EU digi-commish struggles with concepts of net neutrality
Oettinger all about the infrastructure – but not big on substance
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.