The existence of another “master key” bug that can be used to push malware onto Android users has been publicly disclosed by Jay Freeman (a.k.a Saurik), the technology consultant and security researcher who unearthed the bug around the same time as the previous two were found and disclosed in July.
Freeman didn’t go public with his knowledge then, and has instead notified Google of the flaw so that it can be fixed in the incoming update of the OS. But now, as the update is out, he shared the bug’s details in a blog post.
In short, the bug is similar to the second one found, and allows malware peddlers to exchange a legitimate, verified app with one that has had malware added to it, all without the device spotting the subterfuge and stopping it.
I won’t go deeply into the technical details, as Freeman’s post explains perfectly the problem, includes a PoC of an exploit for it, and explains how the bug can be patched. Alternatively, Sophos’ Paul Ducklin did also a bang up job explaining the bug’s intricacies.
Users who have updated their Android installation to the latest (4.4 – KitKat) version are the only ones whose devices currently can’t be compromised with malicious apps taking advantage of this flaw.
Since KitKat was released a little over a week ago, and Android updates are typically slow to reach actual devices, only Google Nexus owners are, so far, safe. Google aims to bring the majority of users up to this newest version as soon as possible, but realistic expectations and announced deadlines point mostly to updates in 2014.