Android ‘Master Key’ vulnerability affects 99% of devices

• Has existed since Android 1.6, but no recorded malware taking advantage of vulnerability yet
• Trend Micro however warns that it is only a matter of time before cybercriminals exploit it

THE new vulnerability in Android phones, codenamed ‘Master Key,’ allows installed apps to be modified without the user being aware, and has existed since version 1.6 of the mobile operating system, according to Trend Micro Inc.
 
The security software company said it affects 99% of Android devices, but also noted that there have been no recorded malicious apps taking advantage of the ‘Master Key’ vulnerability.
 
However, it is only a matter of time before cybercriminals develop such malware and get them into the wild, Trend Micro said in a statement.
 
“Since the announcement of this vulnerability, it took less than a week for a security researcher to deliver a proof of concept exploit,” said Goh Chee Hoh (pic), managing director, SEA Region, Trend Micro.
 
“We are pretty certain cybercriminals have been doing their own development and testing and we will see malicious apps popping up on third party apps stores and websites in the very near future,” he added.
 
The vulnerability is related to how Android apps are signed. All Android apps have a digital signature from their developer, which verifies that the app actually did come from the developer and was not modified en route, Trend Micro said in a blog on the issue.
 
An app can only be updated if the new version has a matching signature from the same developer.
 
This particular vulnerability is in that last step. What researchers have found is a way for attackers to update an already installed app even if they do not have the original developer’s signing key. In short, any installed app can be updated with a malicious version.
 
This vulnerability can be used to replace legitimate apps on an Android device with malicious versions. Apps with many permissions – like those from the phone’s manufacturer or the user’s service provider – are at particular risk, the company said.
 
Once on the device, they can behave in the way that any malicious app would, except the user would think they were a completely legitimate app. For example, a modified or ‘trojanised’ app for a bank would continue to work for the user, but the credentials would have been sent to an attacker, Trend Micro said.
 
Google has since released a patch for the Android operating system and provided it to carriers and device manufacturers. However due to the fragmented nature of the Android ecosystem, it is likely to take quite a while for most people to receive the update.
 
“The fragmented nature of Android is a fact of life and fixes for vulnerabilities and security patches will likely never reach a large percentage of users,” said Goh.
 
“Unfortunately this is the case where I am afraid a large number of people are going to remain vulnerable” he added.
 
Related Stories:

Symbian malware disappearing, Android malware surges: F-Secure report
 
Maxis ties up with Symantec to secure users’ Android devices
 
10 tips for companies to prevent mobile malware
 
 
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.