First Apps Targeting Android Key Vulnerability Found in the Wild

wiredmikey writes with this tidbit from Security Week: "Earlier this month, researchers from Bluebox Security uncovered a serious vulnerability in Android that allowed for the modification of apps without affecting the cryptographic signature, making it possible for attackers to turn legitimate apps into Trojans. ... Now, Symantec says it has uncovered the first malicious apps making use of the exploit in the wild. Symantec discovered two mobile applications that were infected by an attacker, which are legitimate applications used to help find and make doctor appointments and distributed on Android marketplaces in China. 'An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,' Symantec explained in a blog post. ... Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws."

In other words ...

[gstoddart]

Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws.

So, in other words, most people are screwed, because most of the manufacturers pretty much never really do updates.

I think that has to be the biggest limitation of the platform -- it is so fragmented, you could easily end up with a device which is never going to see updates.

Re:

[Sockatume]

I wouldn't be surprised if Android 5.0 took some measures to decouple important system functions like this from the user experience layer in such a way that Google could roll out important, low level updates while leaving the overall experience in the hands of the carriers.

Of course then Google would be responsible for making sure the update is compatible with every available Android device, rather than the carriers and manufacturers.

Re:

[Anonymous Coward]

This has already been happening, at Google I/O this year there were loads of announcements of changes and new APIs, but these were all done through app updates, no new os revision was released. So bit by bit they are carefully moving key features out of the base install and into APKs that can be updated through the play store. There are certain features that require an os update to liberate them, but it looks promising.

Re:

[NatasRevol]

And the carriers will have to agree to it. Since it might break their 'premium add-on' software that was pre-installed.

Re:In other words ...

[jeffmeden]

I'm already happy I bought a Google Edition phone then and not having to wait for the damn handset and/or telco assholes to get off their butts to issue a fix.

Except... wait for it...

OEMs (Samsung, LG, HTC, etc) have already patched this, and have already gotten code past the carriers. And Google? Every Nexus device STILL HAS THIS HOLE. Fragmentation is not the issue, mobile security is just fucking hard.

Re:

[CastrTroy]

Really? Because I'm pretty sure that LG doesn't have an update available for my G2X past Android 2.2, because I'm not on T-Mobile, but rather a smaller independent carrier, which they can't be bothered to make an update for. I'm actually using the T-Mobile firmware because I wanted Android 2.3, but I had to jump through a few hoops to get it working. They have fixed it for a few of their current flagship models, but they don't have any interest in updating even slightly older phones. And especially not i

Re:In other words ...

[Rich0]

Really, the way that people spend $400-$500 on a device and think that they are entitled to lifetime support for bugfixes AND updates amazes me.

Microsoft of all companies set the expectation here. Your $500 laptop from 2000 running XP STILL gets security updates every patch Tuesday. And certainly Android can't hold a candle to Wintel when it comes to fragmentation.

Re:

[tlhIngan]

Microsoft of all companies set the expectation here. Your $500 laptop from 2000 running XP STILL gets security updates every patch Tuesday. And certainly Android can't hold a candle to Wintel when it comes to fragmentation.

Actually, fragmentation on Wintel's a lot less than on ARM. The basic PC architecture is still the same as it was back in 1981 - you have memory at 0, BIOS starts 1MB in, video is somewhere between 640k-1MB, etc.

And when Windows came around, fragmentation decreased further still - there's

Re:

[Rich0]

Good points. There is still quite a bit of variety on Wintel though - ACPI seems like a mess, and there are lots of other support chips that need variations of behavior on motherboards.

But you're right, in the end the boot loaders all have the same defined interface, with the CPU in a relatively similar state, and the same basic architecture across the board. Until EFI came along the modern PC would probably boot DOS 2.1 just fine.

Re:In other words ...

[HycoWhit]

There are two apps you need to know about: ReKey from DUO security and Northeastern University. ReKey will fix the MasterKey problem if you do not want to wait for a patch from your carrier. (http://www.rekey.io/) [rekey.io]

The other app is from Bluebox Security and is called Bluebox Security Scanner. The Scanner app will simply tell you if your phone has the Master Key vulnerability. Bluebox Security Scanner [google.com]

Re:

[NatasRevol]

I think that would be part of the fragmentation issue.

Re:In other words ...

[CastrTroy]

This is one reason where I think that Apple really has it right. Ensuring that users can easily get software updates for the entire phone ensures that they have a good user experience (for the most part, eg. Apple maps). But Android is such a mess in this respect. Google seems to get this with the nexus line of phones, but the other vendors seem to do a pretty bad job. And even if they release an update, it can sometimes be blocked by the network owner, or the update won't be for the network you happen to be with. It's like if you bought a Dell computer and when Windows came out with a new OS, you could only get the new version if Dell allowed it.

Re:

[Anonymous Coward]

I bought the DroidX and into Android because it's Linux-based

I'm sorry but I never understood this. There is zero reason to consider the kernel of an OS unless you plan on doing some real mods to your OS. I hear it so often from wannabes that Android is magically better and more powerful because it's open source. This is false. I've even bothered to talk to a couple of them about open source and many of them never seem to understand what it takes to mod their phone, write code or even have their phones ro

Re:

[denbesten]

One of the downsides of open-source and free-software (or whatever you want to call it) is the ability to fork the codebase, which causes maintenance problems, such as this. The other edge to this sword is that as your hardware ages Apple will not support it and nobody can fix it themselves, resulting in an entirely different set of maintenance problems.

Re:

[CastrTroy]

In theory you are correct, but in practice, it seems to work exactly the opposite, at least in terms of cell phones. You can still get IOS 6 even if you only have the iPhone 3GS. Good luck finding an Android phone from 2009 that has an official update to the latest version of Android. Sure they're dropping support in IOS 7, but if the phone got you that far, you've got your money's worth. Even with Android itself being open source, the drivers that interface with different components of the phone like th

Re:

[knarf]

While it would be nice if Android updates were available to all who wanted them regardless of which phone they happened to be using, I'll gladly take the current situation over any 'benevolent dictator' type of forced software distribution. For those who like their 'experience' to be managed by a commercial entity there is Apple. For those who prefer to do things their own way, Android is so far ahead of the closed Apple world that they might as well be from another planet.

The comparison with the Dell runni

Re:

[cyber-vandal]

Samsung have fixed this on their newest devices. My Note 2 received the patch a while ago.

Re:

[BrokenHalo]

Google's claim seems a bit questionable to me in any case. My Samsung Galaxy Nexus (which I rooted and flashed to stock Android 4.2 a while back, and is currently running 4.2.2) hasn't picked up any very recent updates.

My understanding is that the Nexus devices without OEM builds of the OS should enter the pipeline for updates directly from Google, and my phone reports having checked for updates within the last 6 hours. In my case, I don't have any binaries downloaded from non-Google sources (other than a

Re:

[BrokenHalo]

I see we have an Apple shill here.

WTF? Go back and read my post again, you fool. Or try enrolling in an English comprehension course.

Re:

[RobbieCrash]

Patched code in AOSP, not patched binaries for devices. Your GNex does not get every update contributed to the AOSP source, it needs to be compiled and sent to your phone.

Currently, the GS4, HTCOne and anything running a CM based ROM has been patched for sure; I'm not aware of what the status on anything else is because I don't care.

Re:

[DrXym]

So, in other words, most people are screwed, because most of the manufacturers pretty much never really do updates.

"Most people" get their apps from Google Play store where presumably apps that use the exploit can be screened and killed on sight. So the vast majority of people are perfectly safe by default and moreso when firmware updates explicitly address the exploit in the installer.

It's only those idiots who get apps from warez sites who are risk and frankly what difference does it make in that situation? Anyway the exploit itself is easy to detect (the apk has 2 or more files that point to the same path) so it wo

Be careful of the origin of your software.

[CastrTroy]

distributed on Android marketplaces in China

That says it all right there. Be careful about the sources of your software. If you're installing software from shady sources or vendors, you probably don't care that the signature matches one of a legitimate program or not.

Re:

[gnasher719]

That says it all right there. Be careful about the sources of your software. If you're installing software from shady sources or vendors, you probably don't care that the signature matches one of a legitimate program or not.

This is not about apps, it is about updates. Any hacker can create perfectly signed malware - "signed by evil@hacker.com", so at that point you'd have to check where your app comes from. But updates are supposed to be signed by the some entity that signed the original app, so evil@hacker.com can update apps signed by evil@hacker.com, but not apps signed by anyone else. And that's what this vulnerability does: It allows hackers to update legitimate apps with malware by taking a legitimate, signed update and

Re:

[CastrTroy]

Even so, app updates come from the app store they are downloaded from. In order to get an update into the app store they need access to the account of the developer/organization that originally created the app. And if the attacker has access to the account, you're pretty much screwed anyway. You can't just upload a fake signed app under a completely different account and have it show up as an update to a legitimate app from another developer.

Re:

[Yebyen]

Isn't the point of this vulnerability that someone who has a public wireless AP that you're using or other MITM vector (such as NSA) can update your apps and give you bad code as if it came from the real market / real app developer, and bypass the signature protections?

It would be some hella trick to prevent the original app dev from then overwriting their bad code with a fresh copy of the latest version, but then it was getting on the phone in the first place that was supposed to be difficult... I think it

Re:

[CastrTroy]

They could also sneak into your house in the middle of the night, gas you, and hook your phone up to a computer and install all kinds of crazy software on your phone. Ok, maybe not something quite so crazy, but it's probably much easier for somebody to get physical access to your phone than it is for them to pull off some MITM attack.

Re:

[Yebyen]

I'm reading every month about some new vulnerability that enables hackers to get your WPA keys in cleartext with some kind of rainbow tables or government/corporate database, spoof your AP, and convince your phone to join their internets (boom, MITM executed.) I think it would be a lot easier to drive by a few times a week to case the joint and prepare to get the hack ready, then just push out some bogus updates to root your phone after a few successful network privilege escalations, now they have all your

Really a problem?

[Anonymous Coward]

> and distributed on Android marketplaces in China

How many people do you know that love downloading software from Android marketplaces in China?

Android marketplaces in China

[sl4shd0rk]

Sounds like a great place to get some high quality apps.

Re:

[Yebyen]

For people in China, it probably was, until this news!

There are two separate keys that were compromised, if I understand the output of the scanner correctly. KatKiss ROM for Transformer TF-101 has been patched for both since Version 220 or 221. I haven't tried V223b yet because it purports to change a bunch of defaults for performance reasons that I don't want to have to change back again every time I re-flash (but it's out).

Incidentally the source is not available at this time! EOS4 git repos went down

Re:

[tlhIngan]

For people in China, it probably was, until this news!

Problem is, the Play Store is not available in China. In fact, it's not available in a lot of places.

And even in the US there are many legitimate reasons WHY you'd want to "allow non-marketplace apps" to be checked. Say, the Amazon App Store. Or Humble Bundle for Android. Or many legitimate sellers of Android apps who refuse to use the Play Store.

The problem with Android is it's an "all or none" proposition - you can choose the safety of the Play Store,

Re:

[Yebyen]

One of the keys that was compromised was a Chinese key. BlueBox Scanner told me that my device was vulnerable to that key until just 1 week ago, when KatKiss patched the second bug. Presumably these roms are equipped to allow some Chinese authority alternatively to Google Play store. I didn't read the advisory, but BlueBox tells me I'm protected now (from a whole 2 security advisories. Don't I just feel safer already?)

Are they hosted in the playstore?

[140Mandak262Jamuna]

Are the malicious apps being distributed from the playstore? Or from other app store?

Really simple

[slashmydots]

This is really simple. Don't use other app stores than Google Play. Every problem I've ever heard of with viruses and bad apps can be solved by not being that stupid.

symantec!?

[beefoot]

I can only hope no one is going to install symantec antivirus on their phone because we know what it did to our computer.

Main Reason I went iPhone...

[macromorgan]

This is really the main reason I'm still on an iPhone, despite being a mostly Linux fanboy. Apple is able to push software updates without having to deal with carriers' machinations, while Android requires both the manufacturer and carrier to be on board*. Apple has also supported the devices I owned for a minimum of 2 years from their launch. *(I'm aware of Nexus devices, however due to some licensing issues there are no Nexus Verizon phones, and Verizon as a carrier is a requirement).

use the exploit to fix it?

[xrmb]

Well, I hope this exploit can be used to give me root, so I can (A) fix it, (B) enjoy being root...