Android Master Key Malware Surfaces in China

By | July 30, 2013

Posted in: Network Security Trends

The first known malware to exploit the Android master key vulnerability described by BlueBox Security has been found in an application market based in China, a McAfee researcher reported this week.

Mobile malware researcher Daisuke Nakajima said the app used the vulnerability to hide the malicious classes.dex from Android’s package signature verification.

“This vulnerability allows an attacker to inject malicious code by putting duplicate executable files, such as classes.dex, in an application package,” Nakajima said.

“The package verification step at installation is done against the original, legitimate file, but at runtime the second, malicious file takes over. The attacker’s malicious code in the second classes.dex collects and sends the device’s sensitive information to remote servers and also sends SMS messages to those who are in the victim’s contact list.”

Jeff Forristal, chief technology officer at BlueBox who publicly reported the vulnerability early in July, said the company had released a free app to help consumers and enterprises manage the master key vulnerability.

“The Bluebox Security Scanner app produced by our research team allows you to directly check if your Android device has been patched for this vulnerability without the hassle of having to contact the device manufacturer or mobile carrier,” he said.

“It will also scan devices to see if there are any malicious apps installed that take advantage of this vulnerability. Once we discovered the bug we set out to create a tool to help individuals to evaluate their risk,” Forristal said.

Another McAfee staffer, chief mobile architect Jeremy Bennett, said in a blog that Google had taken two critical actions.

“The first, and most effective, was to make sure that there are no apps in Google Play that exploit this vulnerability,” he said. “We can assume, too, that any new apps are also being checked. The second was to contact all of the Android original equipment manufacturers to provide them with a patch that disallows duplicate files in APKs.”

Bennett said the most important thing for Android users to do was to “install any and all security updates available for your device.”

“Unfortunately, there is often a significant delay between Google providing a patch and updates being available on your device. This is due both to the needs for the OEM to integrate and test the patch on all of their supported devices but also, in the case of phones, for the carrier to do the same,” Bennett said.

You May Also Be Interested In: