By Nathan Collier and Cameron Palan
Last week, Bluebox Security reported they’d found a new flaw with the Android OS, saying “The implications are huge!”. The bug, also known as the “Master Key” bug or “bug 8219321”, can be exploited as a way to modify Android application files, specifically the code within them, without breaking the cryptographic signature. We call these signatures the “digital certificate”, and they are used to verify the app’s integrity. Since the bug is able to modify an application and still have the certificate appear valid, it is a big deal.
Bluebox did report the bug to Google in February, however, and they have since put in patches and put out updates to begin correcting the flaw. Google Play already scans apps for the issue, and Android 4.2.2 and above already has the patch included. We have also been diligently working to protect those not covered by any patches or updates yet, and find the best permanent solution to this issue for those older devices which may never be patched.
Aside from the method used, this is not a completely new tactic in the malware community. Various kinds of digital certificate spoofing have long been used by malware authors in an attempt to disguise their apps. Google Play already scans apps for this particular issue, so any updates or applications downloaded from the Play Store should be safe. One way or another, no matter what the digital certificate says, malicious intent is malicious. The intent of an application is what we have always examined, first and foremost, here in threat research.
Does this change the game? Maybe a little, but that’s why we love our jobs. There’s always something new happening in the malware world that makes things interesting. As always, we are dedicated to protecting users from any kind of emerging threats, including those exploiting the “Master Key” bug.