Google fixes APK nightmare-waiting-to-happen, sends patch to partners

July 11, 2013 by Nancy Owano weblog

( —As if Android was not getting enough press about exploit opportunities, a Bluebox Security expert let the world know earlier this month that its security team discovered a Master Key vulnerability where hackers could sidestep app verification and install Trojans that can sail through verification without any problems. With this exploit, a hacker can modify a normal Android application package file (APK) without having to break the app's cryptographic signature. That's the ticket. The signature break would have sent off red flags. (Explains Threatpost: Applications are digitally signed to establish or confirm the identity of the developer and the signatures make sure that future updates come from only the developer of the application.)

In his blog, Jeff Forristal, CTO of San Francisco-based Bluebox, wrote: "The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android's security model that allows a to modify APK code without breaking an application's cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user."

The vulnerability could affect nearly 900 million devices—any Android phone released in the last four years.
What's more, Bluebox Security was able to modify an Android device manufacturer's application, he said, to the point where the team had access to all permissions on the device. These might be troubling implications for a vulnerability capable of affecting 900 million devices, especially at a time when BYOD policies are not uncommon in some businesses.

All this can be viewed as much ado about something or might pan out to be much noise about nothing, because Google addressed the problem in a number of ways. Google updated Google Play, to provide checks that can block malicious attempts, so that any Android device user, by sticking to the Google Play area if intending to install any app or update, would not be at risk. Also, according to reports, the latest version of Android, has a built-in app-scanning system to check on apps coming from sources other than Google Play and a phone could block malicious code.

Google, meanwhile, has issued a patch to its hardware partners in the Open Handset Alliance. Manufacturers and carriers need to push it out to end users. Users who are unsure about their device models could check with the manufacture or mobile carrier. Google's Gina Scigliano, Android Communications Manager, said a patch was provided to partners and that some OEMs such as Samsung were shipping the fix to the Android devices.

Forristal said more details about the Android vulnerability will be made known during the Black Hat USA 2013 event in Las Vegas which opens on July 27. His presentation is described as a case study showcasing the technical details of Android security bug 8219321, disclosed to Google in February 2013.

"The vulnerability involves discrepancies in how Android applications are cryptographically verified and installed, allowing for APK code modification without breaking the cryptographic signature; that in turn is a simple step away from system access and control."
He will tell how the was located, and the created. "Working PoCs for major Android device vendors will be made available to coincide with the presentation," according to the blurb.

Explore further: Bluebox Security reveals Android vulnerability in run up to Blackhat convention

More information: … -android-master-key/

Related Stories

Google rolls its own keyboard app for Android 4.0 and up

June 6, 2013

( —Google Maps, Google Drive, Google This, Google That….But there is always room for one more new arrival from Google, and now it is in the form of an app called Google Keyboard. Available at the Google Play ...

Researchers ID 'smishing' vulnerability in Android

November 5, 2012

(—Mobile security researchers have identified a new vulnerability in popular Android platforms, including Gingerbread, Ice Cream Sandwich and Jelly Bean. The vulnerability has been confirmed by Google, and will ...

Android users get malware with their apps

March 2, 2011

( -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was forced to removed ...

Recommended for you

A not-quite-random walk demystifies the algorithm

December 15, 2017

The algorithm is having a cultural moment. Originally a math and computer science term, algorithms are now used to account for everything from military drone strikes and financial market forecasts to Google search results.

US faces moment of truth on 'net neutrality'

December 14, 2017

The acrimonious battle over "net neutrality" in America comes to a head Thursday with a US agency set to vote to roll back rules enacted two years earlier aimed at preventing a "two-speed" internet.

FCC votes along party lines to end 'net neutrality' (Update)

December 14, 2017

The Federal Communications Commission repealed the Obama-era "net neutrality" rules Thursday, giving internet service providers like Verizon, Comcast and AT&T a free hand to slow or block websites and apps as they see fit ...

The wet road to fast and stable batteries

December 14, 2017

An international team of scientists—including several researchers from the U.S. Department of Energy's (DOE) Argonne National Laboratory—has discovered an anode battery material with superfast charging and stable operation ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Jul 12, 2013
Does this mean that this exploit can be used to "root" an Android phone via operating the app. If so, then it has a useful side.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.