Researchers from security firm Bitdefender have unearthed two relatively popular apps on Google Play that leverage the infamous Android “Master Key” bug, but luckily for users who downloaded them, the app developers have no malicious intent.
“The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” explained Bogdan Botezatu. “In contrast, malicious exploitation of this flaw focuses on replacing application code.”
The bug, which was recently discovered by researchers from Bluebox Security, and a similar one flagged by a user of a Chinese forum allow malicious individuals to modify the code of any app without breaking its cryptographic signature and pass malware off as legitimate apps.
But even though both vulnerabilities have already been fixed by Google and the patch given out to device manufacturers, it will take considerable time for all of them and the various carriers to distribute a patch to its users.
A week ago Bluebox has created and made available for download an app for detecting whether users’ Android installation has already been patched or still sports the vulnerability, whether their system settings allow non-Google Market application installs, and whether they have already installed one or more apps that take advantage of the flaw.
But researchers from Northeastern University’s System Security Lab and Duo Security have created something even better: ReKey, a mobile app that “takes the upstream patch from Google and deploys it in a safe and non-destructive manner on your device.”
Currently in beta, the app works only on rooted devices as it injects a small piece of code into the Android framework and that requires escalated privileges. The app also detects apps abusing the “Master Key” vulnerabilities if the user attempts to install them
This can be very useful because, as Bitdefender has pointed out, “two applications with this behavior managed to make their way into the Play Store without raising any red flags” – despite Bluebox CTO Jeff Forristal claiming that Google has made that impossible.