Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Apps Targeting Android Key Vulnerability Found in the Wild

Posted by Unknown on from the about-that-vendor-update-speed-problem dept.

wiredmikey writes with this tidbit from Security Week: "Earlier this month, researchers from Bluebox Security uncovered a serious vulnerability in Android that allowed for the modification of apps without affecting the cryptographic signature, making it possible for attackers to turn legitimate apps into Trojans. ... Now, Symantec says it has uncovered the first malicious apps making use of the exploit in the wild. Symantec discovered two mobile applications that were infected by an attacker, which are legitimate applications used to help find and make doctor appointments and distributed on Android marketplaces in China. 'An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,' Symantec explained in a blog post. ... Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws."

13 of 54 comments (clear)

  1. In other words ... by gstoddart · · Score: 5, Insightful

    Google has fixed the security hole in Android, but it is now in the control of handset manufacturers to produce and release the updates for mobile devices to patch the flaws.

    So, in other words, most people are screwed, because most of the manufacturers pretty much never really do updates.

    I think that has to be the biggest limitation of the platform -- it is so fragmented, you could easily end up with a device which is never going to see updates.

    --
    Lost at C:>. Found at C.
    1. Re:In other words ... by Sockatume · · Score: 2

      I wouldn't be surprised if Android 5.0 took some measures to decouple important system functions like this from the user experience layer in such a way that Google could roll out important, low level updates while leaving the overall experience in the hands of the carriers.

      Of course then Google would be responsible for making sure the update is compatible with every available Android device, rather than the carriers and manufacturers.

      --
      No kidding!!! What do you say at this point?
    2. Re:In other words ... by HycoWhit · · Score: 4, Informative

      There are two apps you need to know about: ReKey from DUO security and Northeastern University. ReKey will fix the MasterKey problem if you do not want to wait for a patch from your carrier. (http://www.rekey.io/)

      The other app is from Bluebox Security and is called Bluebox Security Scanner. The Scanner app will simply tell you if your phone has the Master Key vulnerability. Bluebox Security Scanner

    3. Re:In other words ... by CastrTroy · · Score: 4, Insightful

      This is one reason where I think that Apple really has it right. Ensuring that users can easily get software updates for the entire phone ensures that they have a good user experience (for the most part, eg. Apple maps). But Android is such a mess in this respect. Google seems to get this with the nexus line of phones, but the other vendors seem to do a pretty bad job. And even if they release an update, it can sometimes be blocked by the network owner, or the update won't be for the network you happen to be with. It's like if you bought a Dell computer and when Windows came out with a new OS, you could only get the new version if Dell allowed it.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    4. Re:In other words ... by Anonymous Coward · · Score: 2, Informative

      This has already been happening, at Google I/O this year there were loads of announcements of changes and new APIs, but these were all done through app updates, no new os revision was released. So bit by bit they are carefully moving key features out of the base install and into APKs that can be updated through the play store. There are certain features that require an os update to liberate them, but it looks promising.

    5. Re:In other words ... by jeffmeden · · Score: 4, Insightful

      I'm already happy I bought a Google Edition phone then and not having to wait for the damn handset and/or telco assholes to get off their butts to issue a fix.

      Except... wait for it...

      OEMs (Samsung, LG, HTC, etc) have already patched this, and have already gotten code past the carriers. And Google? Every Nexus device STILL HAS THIS HOLE. Fragmentation is not the issue, mobile security is just fucking hard.

    6. Re:In other words ... by Rich0 · · Score: 3, Insightful

      Really, the way that people spend $400-$500 on a device and think that they are entitled to lifetime support for bugfixes AND updates amazes me.

      Microsoft of all companies set the expectation here. Your $500 laptop from 2000 running XP STILL gets security updates every patch Tuesday. And certainly Android can't hold a candle to Wintel when it comes to fragmentation.

  2. Be careful of the origin of your software. by CastrTroy · · Score: 2

    distributed on Android marketplaces in China

    That says it all right there. Be careful about the sources of your software. If you're installing software from shady sources or vendors, you probably don't care that the signature matches one of a legitimate program or not.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Be careful of the origin of your software. by gnasher719 · · Score: 2

      That says it all right there. Be careful about the sources of your software. If you're installing software from shady sources or vendors, you probably don't care that the signature matches one of a legitimate program or not.

      This is not about apps, it is about updates. Any hacker can create perfectly signed malware - "signed by evil@hacker.com", so at that point you'd have to check where your app comes from. But updates are supposed to be signed by the some entity that signed the original app, so evil@hacker.com can update apps signed by evil@hacker.com, but not apps signed by anyone else. And that's what this vulnerability does: It allows hackers to update legitimate apps with malware by taking a legitimate, signed update and adding their malware to it.

    2. Re:Be careful of the origin of your software. by Yebyen · · Score: 2

      Isn't the point of this vulnerability that someone who has a public wireless AP that you're using or other MITM vector (such as NSA) can update your apps and give you bad code as if it came from the real market / real app developer, and bypass the signature protections?

      It would be some hella trick to prevent the original app dev from then overwriting their bad code with a fresh copy of the latest version, but then it was getting on the phone in the first place that was supposed to be difficult... I think it would be trivial to know what app your target uses, know that an update is coming down the pipe, intercept it, and push out your own malicious update in its place, as long as they stay on your network.

      Would someone with more knowledge tell us? Is the connection to the market protected by SSL in a way that would stop this for non market users? Would gaining access to the developer account really be a part of this exploit? (If Google patches their server to not accept the compromised keys, does that stop the bad updates at the source?)

      This seems like it could be a really neat problem to explore in more depth. Not for black-hat purposes of course, just educational.

      --
      Restating the obvious since nineteen aught five.
    3. Re:Be careful of the origin of your software. by Yebyen · · Score: 2

      I'm reading every month about some new vulnerability that enables hackers to get your WPA keys in cleartext with some kind of rainbow tables or government/corporate database, spoof your AP, and convince your phone to join their internets (boom, MITM executed.) I think it would be a lot easier to drive by a few times a week to case the joint and prepare to get the hack ready, then just push out some bogus updates to root your phone after a few successful network privilege escalations, now they have all your saved passwords and are transmitting your GPS coordinates back to base, over the air, 24/7.

      That is much easier than to "sneak into your house, gas you, and erase your memory Lacuna Inc. style" -- we're talking about real attacks that can compromise your data without your knowledge.

      NSA news demonstrates that advanced persistent threats are real and they need not be discovered or be public to be effective at compromising "security systems." I appreciate what you're saying, "your data just is not that interesting" but if your target was PirateAt40 or Edward Snowden, you'd take the cheap, safe option, and not the option that involves potentially being caught breaking and entering with chloroform, a heavy wrench, and other "sophisticated hacking equipment." That is assuming you weren't just going for the full-blown Colombian Necktie.

      --
      Restating the obvious since nineteen aught five.
  3. Re:Android marketplaces in China by Yebyen · · Score: 2

    For people in China, it probably was, until this news!

    There are two separate keys that were compromised, if I understand the output of the scanner correctly. KatKiss ROM for Transformer TF-101 has been patched for both since Version 220 or 221. I haven't tried V223b yet because it purports to change a bunch of defaults for performance reasons that I don't want to have to change back again every time I re-flash (but it's out).

    Incidentally the source is not available at this time! EOS4 git repos went down when the TeamEOS broke up, I don't know for sure but http://git.teameos.org/ is a cgit with at least web reader access to help tell which repos have changes from AOSP, but they are not available for cloning. Bummer.

    I am sure timduru could use some help from anyone with the source, or with a lot of patience to read the individual repo commit ids from EOS4 cgit while it's still up, and check AOSP to see if they are present somewhere in history or divergent. (I've talked to him. It's a big job. I'm sure he could use the help, just not sure how to provide it best.)

    I get my OS from these guys. But yeah, I would not be downloading apps from android marketplaces in China.

    --
    Restating the obvious since nineteen aught five.
  4. Re:Android marketplaces in China by tlhIngan · · Score: 2

    For people in China, it probably was, until this news!

    Problem is, the Play Store is not available in China. In fact, it's not available in a lot of places.

    And even in the US there are many legitimate reasons WHY you'd want to "allow non-marketplace apps" to be checked. Say, the Amazon App Store. Or Humble Bundle for Android. Or many legitimate sellers of Android apps who refuse to use the Play Store.

    The problem with Android is it's an "all or none" proposition - you can choose the safety of the Play Store, or you can have it all. You can't choose the safety of the Play Store and other stores you trust (though there is legitimate reason why it's not necessarily a good idea).

    The legitimate reason? It doesn't really protect anything - thanks to the dancing pigs (or rabbits) issue, even if you made it so a user could "approve" a store, guess what? They'll approve illegitimate ones because they want the app.