What does Android “master key” vulnerability and your morning coffee Drive Thru routine have in common?

Bluebox Labs last week announced a vulnerability in Android’s code for cryptographic signature verification and app installation. They are planning to publicly disclose the details in their upcoming BlackHat US talk. Google has patched this vulnerability and some of the vendors have already started picking it up.

Understanding the threat

Each app on Android is required to be cryptographically signed by the author. A very common threat vector on Android is trojanizing trusted applications, whereby a malicious party modifies the trusted app and adds malicious functionality to it. Consider for example, that a known trustworthy company GoodGuys publishes a game AwesomeGame and sells it a price.

A malicious group BadBoys can then take that app and add malicious functionality to it, such as stealing user data, calling / sending SMS to toll numbers etc, retain the original game functionality and  publish it  on third party app store enticing the users to download it as a free pirated copy of AwesomeGame.

To publish it on Google Play BadBoys would have to bypass Google play security checks and even then publish it under a similar sounding / looking name but something other than GoodGuys  or would have to have obtained login credentials GoodGuys to log in to their Google play account. On top of it he would need access to GoodGuys private key to sign the trojanized app.

With the vulnerability that BlueBox Labs responsibly disclosed to Google BadGuys can release a trojanized version of AwesomeGame installation file which contains some code that is not signed by GoodGuys, but when Android attempts to install it,  it is tricked into thinking that all parts of the  app are signed by GoodGuys.

Do you need to worry?

Depending on where you take your apps from you may not have to worry too much, if you follow the best practises and you only install apps from Google play and you pay attention to the author details then you are very very unlikely to be affected by this, as the attacker would have to bypass several security measures to deliver an app from a trusted channel while pretending that it is coming from GoodGuys.

Vulnerability Details

The vulnerability details are expected to be publicly disclosed by BlueBox Labs at the upcoming BlackHat USA conference. But the details and POC have now appeared on the world wide web. It can be easily found online and I would rather not mention the details here.

But as I mostly do, I would like to give an analogy to explain the vulnerability.

Recall your drive through experience during your morning commute. in many setups you may have to pass through two windows, the first one is where you pay and the second one is where you pick up your order. The attendant at the second window is pretty sure that you are the one who just paid at the previous window. Now imagine (although it is hard to happen in the decimal world with humans but quite easy in the binary world) if the car behind you were to hit and throw you out of the lane and present itself to the attendant at second window… this is essentially what this vulnerability is about.

More from Endpoint

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…

3 Ways EDR Can Stop Ransomware Attacks

Ransomware attacks are on the rise. While these activities are low-risk and high-reward for criminal groups, their consequences can devastate their target organizations. According to the 2022 Cost of a Data Breach report, the average cost of a ransomware attack is $4.54 million, without including the cost of the ransom itself. Ransomware breaches also took 49 days longer than the data breach average to identify and contain. Worse, criminals will often target the victim again, even after the ransom is…

How EDR Security Supports Defenders in a Data Breach

The cost of a data breach has reached an all-time high. It averaged $4.35 million in 2022, according to the newly published IBM Cost of a Data Breach Report. What’s more, 83% of organizations have faced more than one data breach, with just 17% saying this was their first data breach. What can organizations do about this? One solution is endpoint detection and response (EDR) software. Take a look at how an effective EDR solution can help your security teams. …

How to Compromise a Modern-Day Network

An insidious issue has been slowly growing under the noses of IT admins and security professionals for the past twenty years. As companies evolved to meet the technological demands of the early 2000s, they became increasingly dependent on vulnerable technology deployed within their internal network stack. While security evolved to patch known vulnerabilities, many companies have been unable to implement released patches due to a dependence on legacy technology. In just 2022 alone, X-Force Red found that 90% of all…