Android master key discovered, threatens 99 percent of Android phone usersBy Angel Cuala on Jul 5, 2013 in Software, Technology •
A supposed Android master key has been discovered recently, which could possibly affect 99 percent of Android phone users. This bug (Android security bug 8219321), which was believed existing since 2009, reportedly allows cyber-attackers to steal information without the knowledge of Google and end-users.
According to Bluebox CTO Jeff Forristal on his blog post this Wednesday, July 3, 2013, the said loophole was present since the release of Android 1.6 (codename: “Donut”) and is always present in every version of the Android operating system. This is allegedly affecting almost 900 million Android devices, depending on the application installed. The company said that they already raised this issue to Google last February.
As noted by Forristal, this so-called Android master key makes the application’s code of the device vulnerable to any change without affecting the cryptographic signature of the application. This means that a malicious author can fool Android, making it appear that there were no changes made. Note that all Android applications has cryptographic signatures, which is being used by Android to check if the app is legitimate and had no tampering or changes. Below is a part of Forristal‘s observation posted at Bluebox.com.
“Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls).”
Nonetheless, Forristal has some recommendations to Android users and app developers. This includes knowing first the identity of the app publisher before downloading an app, and that users should always get the most updated version of the app. Stores that implement BYOD (Bring your own device) option is also being advised to alert their users on the updated app version.
Spread The News!