What is the Android Master Key Vulnerability?

Android is an operating system (called OS) designed for mobile touch screen devices such as smart phones and tablet computers.  It is a very popular system.  Consider how popular the Android smart phone is worldwide: the Android smart phone market share in the US is estimated to be over 52%; the Android smart phone market share in China is over 90%!  

A vulnerability in the Android operating system (OS) was discovered early in July, 2013, by a security organization.  The vulnerability, which affects an estimated 900,000,000 Android devices worldwide, has been code named “Master Key”.  Although it was just recently discovered, the vulnerability has existed on Android devices running versions 1.6 and higher.  The best I can find is that it has existed since 2009!  (Note:  the latest Android version is 4.3 – Jelly Bean.  It was released July 24, 2013)

 Why Is This Exploit Dangerous?

The Master Key threat allows anyone to completely control your Android device.  What does that mean to you?  It means that a hacker/bad guy can infect your device and retrieve all your personal and sensitive information, your passwords, your account numbers (think bank and stock accounts), phone numbers, information about others including their email addresses. A hacker who utilizes this vulnerability on your device can monitor all your messaging. 

Feeling a little fear yet?  You should as it is appropriate in this case.  The Master Key threat even allows a hacker to use your phone to take pictures and videos, to send premium SMS messages, to disable security software, not to mention join bot nets. (If you don’t remember about bot nets, please see my post “What the Hack is a Bot Net and Why Should I Care?”)

Because of the market saturation of Android devices in China, that country has become a prime target for the Master Key threat.  According to Bluebox.com, the security firm that first discovered the vulnerability, two legitimate apps used in China to find and make doctor appointments have been “trojanized” (infected with Trojan malware) with more attacks expected.

How the “Master Key” Threat Works

It is a bit of a challenge to explain the threat without techie talk.  The security provider Symantec recently explained that “ an Android package file, used to install an application, could be modified in a way that did not affect the application’s original cryptographic digital signature. The signature verifies an application’s integrity.” http://www.pcworld.com/article/2045087/symantec-spots-two-android-apps-using-master-key-vulnerability.html 

This means that the bad guys found a way to use the actual process that verifies that an app is safe and has not been tampered with to tamper with the app!   They use the Android vulnerability to create and install an update for an already installed app, but that update is actually a malicious version of the app – and it is installed without detection!  And with NO permission required. 

So now, the “updated” but malicious version of the original app is comfortably in place on the device; it continues to be usable, albeit now for malicious purposes; all the while the user of the device, and even the app store, have no clue the updated app is really malware – until catastrophe happens…

How to Protect Against the Vulnerability?

1.    Check For and Apply Device Manufacturer’s Software Updates and Patches ASAP

The first recommendation is to immediately check for and apply OS and software updates from your device manufacturer.  The only good news, according to one source, is that the Samsung Galaxy S4 is already patched and protected against the Master Key threat. 

Major brands are acting quickly to get patches out to their market; but be aware that smaller and lesser known brands like Cherry Mobile, Starmobile or MyPhone are likely to be slow to release updates.  Check with those manufacturers if you own their devices for how they are offering updates and patches.

2.  Use Google PlayStore to Download Apps for the time being

Google was quick to release patches in response to the threat.  It is suggested that applications for Android devices currently be downloaded ONLY from Google’s Playstore.  DO NOT download apps from file-sharing sites (torrent sites) since those are sites of choice for hackers and bad guys.  They are waiting for and counting on you to go there for apps.

3.  Disable Non-Market App Installations

Check that only trusted apps are installed on your device.  On an Android phone, this can be done by selecting Settings > Security, then uncheck the “Unknown Sources” option.

4.  Uninstall Questionable Apps

The following advice is excerpted from pinoytechguide.com:    “If you have recently installed an app that offers very little use for you, uninstall it. Examples of apps like this are those that serve as ebooks with very few pages. Be specially skeptical in installing apps that ask for a lot of permissions.” http://www.pinoytechnoguide.com/2013/07/protection-android-master-key-bug.html

Tool to Scan for the Master Key Threat

I don’t have an Android device so I can’t verify the following tool as effective.  I will suggest it only as resource mentioned in many articles as a scan tool for this exploit.  If you are an Android device user, I suggest you explore this resource further. 

So try to picture a room full of 900,000,000 Android devices.  I can’t picture that, either.  But the thought that 900,000,000 devices could be infected and controlled by bad guys who want what you and I have and are probably already getting it – that SCARES me into action.  I hope it does the same for you…

Can You Count That High?

Can You Count That High?