What is the Master Key Vulnerability?
The Master Key vulnerability was discovered by a security group called Bluebox. Bluebox consist of well-respected security developers who are dedicated in the fight against mobile attacks. The Bluebox Security research team discovered a vulnerability within the Android security model that allows an attacker to turn any legitimate application into a malicious Trojan horse. The hacker accomplishes this by modifying the APK code without modifying the application’s cryptographic signature. The Android Application Package file (APK) is the file format used by Google’s Android operating system to distribute and install applications. An APK contains many elements, including the app’s code and certificates. Android apps come with digital signatures. A digital signature is what makes an application legit. Digital signatures confirm the identity of an app’s developer and they ensure that future updates are issued solely by the app’s developer. Breaking the cryptographic signature of any app is an indication that the app has been tampered with. The Maser Key vulnerability not only allows the attacker to make these changes to Android apps, the changes are unnoticed by the app store, mobile device, and end user.
What Are the Implications?
The Master Key vulnerability is scary. Attackers can literally create Trojan horse apps (fake apps) on the fly, which will allow them to gain full access to your Android system and all applications (including your data). So what does this mean? Well, the Trojan horse is capable of capturing your personal data (email, SMS messages, photos, documents, etc.) as well as user account information and passwords. Furthermore, it can launch attacks, such as make phone calls or send text messages and maybe even turn on your camera and record calls.
For enterprise users, there are other issues to deal with. Because users in the workforce may have elevated privileges to corporate information, it may be possible that the vulnerability can allow an attacker to gain access to sensitive information.
What Can Be Done to Prevent This?
Google has released a fix in response to Bluebox Security’s findings. Google stated that the security hole has been patched and has been released to the Original Equipment Manufacturers (EOM). So, Google has responded well and quickly developed a patch to correct this issue. It is now up to the mobile device manufacturers add the security patch to upcoming updates. While you wait for your provider to release the update, you can mitigate the Master Key vulnerability by:
- Use an Android Antivirus app -- McAfee Mobile Security offers security against this vulnerability.
- Be cautious about identifying the app’s publisher you want to install.
- Download from Google Play Store – Google is on high-alert and the assumption is that they will be aggressively monitoring APKs for any kind of suspicious acts. Downloading apps from other sources could be dangerous.