Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Android Security - Skullkey trojan horse uses new Master Key Exploit

Android users must be even more cautious when selecting applications, as the new master key vulnerability has quickly materialized into an exploit.  This new attack allows an infected version of an app to spoof digital signature controls.  This new attack is circulating in-the-wild in China:

http://securitywatch.pcmag.com/android/314052-trojans-exploiting-android-master-key-flaw-found-in-the-wild

http://www.symantec.com/connect/blogs/first-malicious-use-master-key-android-vulnerability-discovered

http://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99

Two apps distributed in Chinese marketplaces are exploiting Android's "master key" vulnerability, Symantec researchers found. The "master key" vulnerability, publicized earlier this month, allows attackers to modify existing apps by inserting a malicious file with the exact same name as an existing one in the application package.

When Android opens the package file, it validates the first file's digital signature and doesn't validate the second because it thinks it has already validated that file. The biggest concern was that attackers can exploit the flaw to create malicious apps which can masquerade as legitimate apps and remotely take control of user devices.

Symantec found two apps distributed in an app marketplace in China that were using the exploit. The apps are used to find and make appointments with a doctor.  The Trojan hides using the Android 'Master Key' vulnerability to keep the legitimate app signature valid.  The Trojan allows attackers to perform the following actions:

* Open a back door
* Steal sensitive data (such as IMEI and phone number) and sends it to apkshopping.com
* Send premium SMS messages
* Disable certain security apps by using any available root commands
* Send SMS message to all the device's contacts in order to infect others

More can be found here:

http://msmvps.com/blogs/harrywaldron/archive/2013/07/15/android-security-new-master-key-vulnerability.aspx