The Android “Master Key” Exploit


Over the last few days much has been written about a serious security hole in the Android operating system that can give attackers complete access to affected mobile devices. Bluebox, the discoverers of the security hole, estimate that 99% of Android devices since v1.6 are vulnerable to the vulnerability. And although there are some patches out there, the waiting time and thus the time spent without protection could be very long or even permanent for many users, because many devices will probably not receive the patch.

The fact is that attackers can gain access to all the data and functions on a device if they exploit the vulnerability. Android apps, .apk files, are changed by the attackers. Malicious elements are added that are not detected by vulnerable systems in security checks.

How can this happen?

In simple terms, the apk file is a container for a set of files – a .zip archive with a different name. The files in the container are subjected to an authenticity check on installation and checked against cryptographic checksums. The checksums are stored in the Manifest.MF file, which is also stored in the .apk file.
If files in the container have been changed and thus do not match the stored checksums, the installation is stopped. This security step functions flawlessly.

The current problem is that attackers do not change the existing files in the container but instead add modified duplicates of the files to the container. These duplicates are not subjected to the security check. The check is done on the original file. But due to an error, the file that is installed is the modified, malicious duplicate.

What can happen?

Attackers can exploit the vulnerability to gain access to the device in various ways:

  • One relatively simple attack to carry out is data theft: the attackers manipulate an app from which they want to steal data in the manner described above and get the user to install it. The attackers thus gain access to all the information entered and processed in the app, such as contact data, bank details, etc.

  • Another possible, but more complicated, form of attack is the manipulation of apps with system rights, such as those pre-installed on the device by the manufacturer. If the attackers manage to manipulate these apps and spread them among users, they gain full access to the device. They can then steal data at will and carry out various other scenarios that are difficult or even impossible for users to detect, such as integrating the device in a bot network, rooting the device or using the device as a proxy (e.g. for the distribution of child pornography).


What can the user do?

According to reports, Google has already reacted and forwarded the necessary information to the device manufacturers. Now users have to wait for the corresponding update or patch for their mobile devices. Unfortunately the update policy and system-related update options for Android devices have often been the real stumbling block. Also, there is great fragmentation across manufacturers, telephone providers and different devices, which is more of a curse than a blessing in such cases and leads to less than ideal security conditions. Many devices will presumably never receive an update because they have already passed the “end-of-life” date defined by the manufacturer.

Until an official update/patch is available for their respective devices, users should do the following:

  • Use a comprehensive security solution for your Android mobile device
    G Data MobileSecurity 2 includes a hotfix that offers effective protection against the “Master Key” exploit.
    An update has already been delivered to existing customers, and non-customers can download a free 30-day version of G Data MobileSecurity 2.

  • Only download apps from the official Google Play Store and sources you really trust
    Also pay special attention to the app evaluations and comments as well as the rights requested by the app.