Wednesday, 24 July 2013 19:00

Malware Using Android "Master Key" Flaw Found In the Wild

Written by

Reading time is around minutes.

Remember how everyone was up in arms over the existence of a “Master Key” bug that existed in all versions of the Android operating system? Well it looks like someone has found a way to use the flaw to their advantage. Symantec has found two apps (available in China) that use the Master Key flaw to spread a new form of malware. To give a little background the original flaw was publicly disclosed by Bluebox security on the 3rd of July 2013. It was reported to Google in February 2013. The flaw allows a malicious individual (or group) to alter an application without affecting the apps cryptographic signature. This means that the app looks exactly like a legitimate app bypassing the security at the app store and the phone level.


In short the flaw allows a malicious bit of code to mimic a legit app which can then be used to do whatever the hacker wants it to, including capture data (calls, texts emails etc), create a botnet, and potentially run up your phone bill with premium services. The good news here is that Google has fixed this serious (and rather embarrassing) flaw. The bad news is that unless you are using a stock Google phone you are not likely to be getting it very soon. You see Google controls the OS, but the individual manufacturers and carriers are the ones that get the final say on release of updates.

It is something of a comedy to be honest. Each manufacturer will receive the update at the same time, but from there they are going to test it to be sure their apps and UI still work. If anything is not right they will have to do extra work to correct that. From there the new UI gets pushed to the carrier how will have their own things to put in before allowing it to be pushed out to the end user (I know I could not live without Sprint Zone *sarcasm). This can delay the release of a needed patch by weeks (and in a few cases months).

Although this is a serious flaw and Google should be embarrassed that it exists at all, some have chosen to use it to bolster Apple’s falling reputation. They correctly state that since Apple controls everything about the iPhone updates are more quickly pushed out to users when needed. The one thing they miss is that Apple often ignores or buries bug reports for months (and in some cases years). While they do push out periodic security updates they are not as common as feature updates in the Apple world.

Apple failing’s aside this is something that Google will probably have to deal with sooner rather than later. We know that Google has been trying to get manufacturers and carriers to adopt stock Android phones for people that do not want to deal with all the fluff and crap from both the makers and the carriers, but this is not going to solve the delay that Google faces each time they do need to patch something. It means that millions of Android users are vulnerable until the carriers and manufacturers get off their asses and decide to get this important patch to the market. It also means that Google let a serious flaw sit in their operating system for a very long time. Which raises the question as to if their movement on this bug was because it was reported, or because they knew that once it was reported it would end up being released to the public?

Tell us what you thing about this in our Forum


Read 2228 times Last modified on Wednesday, 24 July 2013 19:07

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.