As you may have heard by now, the recent discovery of the Master Key vulnerability is by far the most threatening vulnerability in Android. If you are still uninformed about this development, sit back and see what it’s all about and why there’s good reason to be scared.
What is Master Key?
To understand what Master Key is, we must first understand what happens when you install any application on your Droid. All Android apps and games are APK files (short for Android Package). These are essentially bit-compressing .zip files that have a different file extension and contain all the resources one needs to run the particular app. These resources are packaged within very specifically-named files, so as to be compatible with all Android devices. When you install the app, the device recognises each resource file and executes them.
Looking to infect
The Master Key vulnerability allows attackers to insert two files with the same name into the package. The Android verifier baked into the OS checks for file signatures for the first instance of any file with duplicate names; however, it will extract and install only the second (or latest) version of the file. This is the Master Key exploit, which was discovered by researchers from Bluebox, a security startup. The company will announce the full details of this vulnerability at Las Vegas at the Black Hat conference later this month, so it may be that the full extent of its powers are still unclear. But from what we know so far, it works by including in the APK, a legitimate file and a second file with the same name that's modified to do whatever the attacker wants. The real danger, of course, is that the app will look like the official version and function 100 percent regularly, but could be executing malicious code in the background.
A similar loophole, which exploits another resource file in a package (classes.dex, to be specific), was found in the wild in China this week and is allegedly being used by two apps. This particular way to breach regular-looking apps is not as versatile as the original Master Key discovery as it needs the duplicate file to be of a particular size, so it has limitations. As you may know, China does not have access to paid apps from the Google Play Store, so third-party app storefronts and “warez” sites are the go-to option for Chinese Android users to experience the same apps. This is a highly insecure environment, which exposes users to exploits such as the Master Key and any variants.
What does it do?
The potential of the Master Key exploit is only limited by the devious imagination of the attacker. It could be as simple as using your Android to spy on your location and all communication. A scarier scenario is that your device could be used to send premium-rate texts, make background calls (when your phone is sleeping) to the same high-rate numbers, use background data and thus bleed you out of your money. The situation turns worse if you are using your device for business email and storing confidential enterprise data. The exploit can be used to access all such files and thus damage more than just your personal life.
Attackers can modify system-level software information and can inject their own information, as shown by Bluebox's screenshot of an exploited device below. In this case, the firm changed the Baseband Version name to include BlueBox, something that normally follows the system firmware and is decided by the OEM.
A Bluebox-exploited HTC device (Image credit: Bluebox)
The biggest threat is that your device can be used to create a scary botnet. Botnet is a portmanteau of robot and network, and is a collection of programs that are connected to the internet. It started off as a way to bring live interactive communication (you may know this as chat) and synchronous conferencing to the Internet, making it mimic real-life communication.This is a very mundane use of a botnet.
But botnets could also be used to send spam emails from your system, thus giving the spammer an alibi. In its most evil form, however, a botnet can be used to conduct Distributed Denial of Service (DDoS) attacks. Since smartphones and tablets running Android have high user involvement, it becomes that much more dangerous when they are part of a botnet used to conduct DDoS attacks. It will essentially allow the attacker to use your device to bring down web servers, and if left uncontrolled, can even take down the Internet. If it must be pointed out, this will cause huge financial and infrastructural damage to governments and organisations invested in the net.
Plethora of options for pirated apps
How to protect yourself?
Raise your hands if you’ve ever used a pirated app instead of paying up for it on the Play Store. You could very well be in danger. Piracy of apps is rampant in India, as is evident from the number of Indian users on websites that provide downloadable, cracked APKs. A simple search for members based on their location yielded 1,267 pages of results for India on one such website (iPmart). So it’s essential that users DO NOT (we cannot stress this enough) install apps downloaded from such sources. You are just inviting a world of trouble.
Secondly, head to Settings now and to the Security page. Here, uncheck the box that lets you install apps from unknown sources (It says Unknown Sources). And it's also a good idea to check the box that asks you whether Android should verify apps before installation. Those who use only the Google Play Store to get their content should most likely be safe considering Google released a patch for the Master Key almost immediately after it surfaced and also seeded it to OEMs. However, just the fact that OEMs have the update doesn’t mean your device will too. After all, how many devices get official updates (even minor firmware bump-ups) from their companies?
A vital step
Perhaps this is too simplistic, but it’s always a good idea to verify who the developer is even when you are using the Play Store. Look for how many apps the developer has released (a lone app released recently should raise alarms), read the user reviews and do a search for how the app has been received in the media, if at all. As an alternative, one could install (from the Play Store, of course) any number of apps that scan APKs before they are installed. You can also check if your Android is vulnerable to Master Key thanks to Bluebox's app.
Malware on Android is not new and neither will the Master Key exploit be the last one that will threaten these devices, but we are glad that it was discovered by security researchers and not first found infecting devices in the wild. With the Black Hat conference scheduled for July 27, we don’t have to wait too long for more details about this particular exploit to emerge.
Publish date: July 25, 2013 7:53 pm| Modified date: January 7, 2014 11:54 am