Feeds

back to article Android 'Master Key' DEMON APPS sniffed out in China

Virus-hunter Symantec says the Android master key vulnerability is being exploited in China, where half-a-dozen apps have showed up with malicious content hiding behind a supposedly-safe crypto key. The simple, straightforward and utterly stupid vulnerability arises because, as Bluebox Security demonstrated recently, someone …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

At the rish of being downvoted into Oblivion

At times like this I have to wonder if (from a purely technical point of view) that the 'closed' systems such as IOS and BBOS etc are worth using just to avoid this sort of thing.

Until the Android people get serious about security, I can't help thinks about the risks here. The words 'Train wreck' seem to pop into my mind.

Just what is the chocolate factory going to do about this? AFAIK, having the master keys mean that each and every Android device is open to being attacked. Changing the keys would be next to impossible (AFAIK).

0
2
Anonymous Coward

Re: At the rish of being downvoted into Oblivion

They don't have the "master keys", the application developers have the keys, what is happening here is the keys are used to verify the valid file and another file with the same name is being installed.

What the chocolate factory have done is patched Android, unfortunately that's only likely to make it's way to Nexus devices in the foreseeable future since manufacturers already have their money and would rather spend their time getting more of it by working on the next device.

Your reason for open vs closed source is off-base here, because vulnerabilities exist in all systems. The only difference between open/closed source is they can be found in the source code easier (by malicious or good coders) than on a closed system where the binaries must be tested/exploited. The advantage of open source is this will be patched in CyanogenMod (and other 3rd party ROMs) before manufacturers pull their fingers out.

I don't want this to come across as defending Google, as this is a pretty schoolboy design error, likely caused by a communication problem between the teams that coded the signature checking and installation systems.

3
0

Re: At the rish of being downvoted into Oblivion

Just as an addendum to the above; comparing Windows to Linux a decade ago would lead you to a very different conclusion regarding the security of open vs. closed systems.

Would I be out of line to suggest that it's fairly foolhardy to claim 'closed' is inherently secure than 'open', on the basis of a single piece of anecdotal evidence?

1
0
Silver badge

Re: At the rish of being downvoted into Oblivion

<quote>AFAIK, having the master keys mean that each and every Android device is open to being attacked. Changing the keys would be next to impossible (AFAIK).</quote>

They are not open to attack UNLESS the user installs some dodgy software from bad sources.

HOWEVER, should any of this software end up on the Google Play Store then that really could be a nightmare. ( I am thinking repackaged Angry Birds or whatever the next fad game will be)

0
0
Silver badge

Re: Google Play Store

I understand that all apps in the Play Store have been/will be checked - it must be a pretty easy check to run through and look for anything with multiple files of the same name, and immediately block them.

GJC

2
0
Silver badge

Open vs. closed

While I agree that open source should be more secure in the long run, I think the point was being made about open vs. closed for the APPS, not the OS.

There are obvious advantages security wise to permitting only a single app store (assuming an unjailbroken phone) and requiring pre-approval of those apps. This does not guarantee the apps don't do something bad, but makes it less likely.

This is a tradeoff of course, because you give up a certain freedom of choice where some apps that may be possible to create but don't get approved for whatever reason aren't available to you (i.e. you can't replace the iOS keyboard)

0
0
Bronze badge

Not so easy

I assume that in an Android app you can legitimately have the same file name in multiple folders - en/help.txt, fr/help.txt, de/help.txt. So you allow that. But then, what about... well, I don't know if ideas that I can think of for making the picture still more complicated actually constitute vulnerabilities, but I'll keep them to myself, anyway.

0
0
Silver badge
Childcatcher

Shocking

Who would ever think that a non-Google Play Store Chinese "betting/lottery app" could possibly be harmful?

5
0
Bronze badge

Genuine Question.

Genuine question: Given that the Kindle Fire/HD run a version of Android with their own market store, does anyone know if these devices are vulnerable to this master key attack?

0
0
Anonymous Coward

Re: Genuine Question.

The problem is with the OS's installation programming that the stores use so probably. Perhaps even more so if Amazon aren't checking their app store for infringing apps - Google are scanning the Play store and removing infringing apps.

0
0
Bronze badge

'master key hack'

I wish you'd stop calling it a 'master key hack' - it's a bug in the key verification as well you know.

'master key hack' implies that private keys have been retrieved, or that the encryption mechanism has been cracked. This might sound more sexy but it's a distortion of the truth

1
0
Anonymous Coward

Pedantry Alert, .zip file is a format, same as .7z,.jar, .tgz, .apk, etc

The standard terminology 'in the biz' to refer to these types of files is 'archive file'.

0
0

This post has been deleted by its author

FAIL

Well the intention of that list was to show other examples of archive file formats, though I can see how you've mistaken it to mean all archive file formats are the same. Still, reading comprehension a bit lacking today?

0
0
Anonymous Coward

IEMI?

I thought those dodgy unlocking sites exist just to harvest IEMIs etc?

0
0
This topic is closed for new posts.