Google has patched a “master key” vulnerability in Android that was recently identified by Bluebox Security, according to an industry report. The vulnerability, which allowed hackers to modify APK code without breaking an app’s cryptographic signature, could convert 99 percent of all Android apps into malicious Trojans, claimed Bluebox.
We don’t hear about Android security risks quite as often as in previous years, but the “master key” vulnerability announced last week by Bluebox Security was a doozy. The vulnerability could affect up to 900 million devices released with Android 1.6 or higher, with the capacity of turning up to 99 percent of Android apps into Trojan malware, claimed the security firm.
On July 8, ZDNet’s Steven J. Vaughan-Nichols reported that Google confirmed that a fix for the problem was on the way. Gina Scigliano, Google’s Android Communications Manager, was quoted as saying that a patch for the vulnerability had been provided to Google’s Android partners. “Some OEMs, like Samsung, are already shipping the fix to the Android devices,” she added.
Scigliano also suggested that the vulnerability was not as dangerous as Bluebox claimed, noting that Google’s scanning tools had not seen any evidence of exploitation in Google Play or other Android app stores. She also noted that Android’s Verify Apps function would also likely provide protection for apps that might have been turned by a master key exploitation.
According to Bluebox, it told Google about the Android security bug in February. Since then, Google has been working on the problem and has informed its partners in the Open Handset Alliance, but did not publicly acknowledge the risk until now. According to a report on the H, the CyanonogenMod project known for its popular open source Android clones, patched its code to fix the bug on July 7, but Google’s AOSP open source version of Android had yet to be patched.
The genius of the exploitation is that it can take advantage of the master key vulnerability to crack APK (Android application package files) without having to break their cryptographic signature. Yet, as the H points out, while exploiting the bug is rather straightforward, malicious hackers would still need to get past Google Play’s security features to post the modified malware versions of the apps.
Over the years, numerous mobile security firms have announced Android vulnerabilities, gaining extensive publicity in the process. Most claims have been legitimate, but are often overblown by the security firm or the press, and some claims have proved to be misleading. This one appears to be legitimate, but is perhaps less dangerous than originally claimed.
Jelly Bean beats out Gingerbread
Google has continued to update Android with security features over the years, and while it still can’t match the tightly controlled iOS security framework, the situation appears to be improving. Android is also improving on its other biggest flaw: version fragmentation. On July 8, Google released its monthly statistics on Google Play usage, revealing that for the first time visitors using Jelly Bean (Android 4.1 and 4.2) outnumbered those using Gingerbread (Android 2.3). Jelly Bean users rose from 33 percent in June to 37.9 percent in July while Gingerbread fell from 36.5 percent to 34.1 percent.
Android usage for the 14-day period ending July 18, 2013
The intervening Ice Cream Sandwich (Android 4.0) came in third at 23.3 percent, down from 25.6 percent. The good news is that the older Donut, Éclair, and Froyo builds combine for less than 5 percent, and the ill-fated Honeycomb tablet firmware ranks at just 0.1 percent. Meanwhile Android 4.x devices represent over 61 percent of the visitors, giving users a fairly modern set of security patches and performance updates. They also share fairly similar functionality, making it easier on developers than in years past. It does not appear that the apparently modest Android 4.3 upgrade will fall far from the Jelly Bean tree.