All you need to know about Android Master Key vulnerability
As you may have heard by now, the recent discovery of the Master Key vulnerability
is by far the most threatening vulnerability in Android. If you are
still uninformed about this development, sit back and see what it’s all
about and why there’s good reason to be scared.
What is Master Key?
To understand what Master Key is, we must first understand what happens when you install any application on your Droid. All Android apps and games are APK files (short for Android Package). These are essentially bit-compressing .zip files that have a different file extension and contain all the resources one needs to run the particular app. These resources are packaged within very specifically-named files, so as to be compatible with all Android devices. When you install the app, the device recognises each resource file and executes them.
The Master Key vulnerability allows attackers to insert two files with the same name into the package. The Android verifier baked into the OS checks for file signatures for the first instance of any file with duplicate names; however, it will extract and install only the second (or latest) version of the file. This is the Master Key exploit, which was discovered by researchers from Bluebox, a security startup. The company will announce the full details of this vulnerability at Las Vegas at the Black Hat conference later this month, so it may be that the full extent of its powers are still unclear. But from what we know so far, it works by including in the APK, a legitimate file and a second file with the same name that's modified to do whatever the attacker wants. The real danger, of course, is that the app will look like the official version and function 100 percent regularly, but could be executing malicious code in the background.
A similar loophole, which exploits another resource file in a package (classes.dex, to be specific), was found in the wild in China this week and is allegedly being used by two apps. This particular way to breach regular-looking apps is not as versatile as the original Master Key discovery as it needs the duplicate file to be of a particular size, so it has limitations. As you may know, China does not have access to paid apps from the Google Play Store, so third-party app storefronts and "warez" sites are the go-to option for Chinese Android users to experience the same apps. This is a highly insecure environment, which exposes users to exploits such as the Master Key and any variants.
What does it do?
The potential of the Master Key exploit is only limited by the devious imagination of the attacker. It could be as simple as using your Android to spy on your location and all communication. A scarier scenario is that your device could be used to send premium-rate texts, make background calls (when your phone is sleeping) to the same high-rate numbers, use background data and thus bleed you out of your money. The situation turns worse if you are using your device for business email and storing confidential enterprise data. The exploit can be used to access all such files and thus damage more than just your personal life.
Attackers can modify system-level software information and can inject their own information, as shown by Bluebox's screenshot of an exploited device below. In this case, the firm changed the Baseband Version name to include BlueBox, something that normally follows the system firmware and is decided by the OEM.
The biggest threat is that your device can be used to create a scary botnet. Botnet is a portmanteau of robot and network, and is a collection of programs that are connected to the internet. It started off as a way to bring live interactive communication (you may know this as chat) and synchronous conferencing to the Internet, making it mimic real-life communication.This is a very mundane use of a botnet.
But botnets could also be used to send spam emails from your system, thus giving the spammer an alibi. In its most evil form, however, a botnet can be used to conduct Distributed Denial of Service (DDoS) attacks. Since smartphones and tablets running Android have high user involvement, it becomes that much more dangerous when they are part of a botnet used to conduct DDoS attacks. It will essentially allow the attacker to use your device to bring down web servers, and if left uncontrolled, can even take down the Internet. If it must be pointed out, this will cause huge financial and infrastructural damage to governments and organisations invested in the net.
What is Master Key?
To understand what Master Key is, we must first understand what happens when you install any application on your Droid. All Android apps and games are APK files (short for Android Package). These are essentially bit-compressing .zip files that have a different file extension and contain all the resources one needs to run the particular app. These resources are packaged within very specifically-named files, so as to be compatible with all Android devices. When you install the app, the device recognises each resource file and executes them.
Looking to infect
The Master Key vulnerability allows attackers to insert two files with the same name into the package. The Android verifier baked into the OS checks for file signatures for the first instance of any file with duplicate names; however, it will extract and install only the second (or latest) version of the file. This is the Master Key exploit, which was discovered by researchers from Bluebox, a security startup. The company will announce the full details of this vulnerability at Las Vegas at the Black Hat conference later this month, so it may be that the full extent of its powers are still unclear. But from what we know so far, it works by including in the APK, a legitimate file and a second file with the same name that's modified to do whatever the attacker wants. The real danger, of course, is that the app will look like the official version and function 100 percent regularly, but could be executing malicious code in the background.
A similar loophole, which exploits another resource file in a package (classes.dex, to be specific), was found in the wild in China this week and is allegedly being used by two apps. This particular way to breach regular-looking apps is not as versatile as the original Master Key discovery as it needs the duplicate file to be of a particular size, so it has limitations. As you may know, China does not have access to paid apps from the Google Play Store, so third-party app storefronts and "warez" sites are the go-to option for Chinese Android users to experience the same apps. This is a highly insecure environment, which exposes users to exploits such as the Master Key and any variants.
What does it do?
The potential of the Master Key exploit is only limited by the devious imagination of the attacker. It could be as simple as using your Android to spy on your location and all communication. A scarier scenario is that your device could be used to send premium-rate texts, make background calls (when your phone is sleeping) to the same high-rate numbers, use background data and thus bleed you out of your money. The situation turns worse if you are using your device for business email and storing confidential enterprise data. The exploit can be used to access all such files and thus damage more than just your personal life.
Attackers can modify system-level software information and can inject their own information, as shown by Bluebox's screenshot of an exploited device below. In this case, the firm changed the Baseband Version name to include BlueBox, something that normally follows the system firmware and is decided by the OEM.
A Bluebox-exploited HTC device (Image credit: Bluebox)
The biggest threat is that your device can be used to create a scary botnet. Botnet is a portmanteau of robot and network, and is a collection of programs that are connected to the internet. It started off as a way to bring live interactive communication (you may know this as chat) and synchronous conferencing to the Internet, making it mimic real-life communication.This is a very mundane use of a botnet.
But botnets could also be used to send spam emails from your system, thus giving the spammer an alibi. In its most evil form, however, a botnet can be used to conduct Distributed Denial of Service (DDoS) attacks. Since smartphones and tablets running Android have high user involvement, it becomes that much more dangerous when they are part of a botnet used to conduct DDoS attacks. It will essentially allow the attacker to use your device to bring down web servers, and if left uncontrolled, can even take down the Internet. If it must be pointed out, this will cause huge financial and infrastructural damage to governments and organisations invested in the net.
Comments