KitKat swats yet another Android 'MasterKey' bug

INVASION of the UNDEAD ANDROIDS averted. Again


Android 4.4 contains a fix for yet another – albeit weaker variant – of the so-called MasterKey bug that first surfaced in July.

The vulnerability first shook the security world when mobile security startup Bluebox Security warned about a class of flaw that potentially affected 99 per cent of Android devices. The problem revolved around how Android handled the verification of the integrity of apps.

Security shortcomings meant that malicious parties could alter some of the contents bundled in an app without changing its cryptographic signature. Apps for Android come as .APKs (Android Packages), which are effectively just ZIP archives. Bluebox discovered it was possible to pack an installation file with files whose name is the same as those already in the archive. These renamed files could easily contain malicious code. It discovered the gaping security hole in February and notified Google but a fix didn't arrive until July.

The issue arose because Android checked the cryptographic hash of the first version of any repeated file in an APK archive, but the installer extracts and applies the last version, which might be anything and wouldn't be checked providing it had the same file name as an earlier (legitimate) component.

A similar bug, discovered by Chinese Android researchers, was also fixed in July. It was Java-based but had the same practical consequences - miscreants could upload Trojan-laden .APK files onto online marketplaces that carried the same digital signature as the legitimate app. Both the two earlier issues were resolved with Android 4.3 Jelly Bean, which was released in July.

Investigation of the recently released Android 4.4 source code by Jay Freeman, a mobile security developer best known for his work on iOS and Cydia*, has revealed that it contains a patch for a third flaw along the same lines. The third flaw is less easy to exploit than the two previous variants, but is still potentially problematic. It arises because it is possible to manipulate the filename length field in a ZIP file's metadata.

"The local header filename length is deliberately set so large that it points past both the filename and the original file data," explains veteran antivirus expert Paul Ducklin on the Sophos Naked Security blog. "This presents one file to the verifier, and a different file to the operating system loader."

Android maintainers have quashed the latest bug by altering the Java-based validation code "so that it follows a similar path through the data to that used by the loader," according to Ducklin, who describes this as an effective (if not holistic) fix.

Freeman has published a detailed analysis of the flaw, along with proof-of-concept code, here. The third flaw was found at around the same time as the others, but only patched this month.

All three flaws stem from the features of the Zip file format, designed in an earlier era of computing, which featured filename redundancy in case files had to be split across multiple floppy disks. These and other antiquated features are hard-wired into the Zip format, handing over security issues to Android Packages built on the foundations of the format as a result.

Sources have confirmed that all three bugs have been fixed in Android 4.4 and that Google's OEM hardware partners have been notified. It might still take some time for the roll out of the update by device manufacturers, if the progress through the Android eco-system of previous updates is any guide.

El Reg was able to confirm through Romanian software security firm Bitdefender that the latest MasterKey vulnerability has been fixed.

Bogdan Botezatu, senior e-threat analyst at Bitdefender, said: "The code committed into the linked GIT repository has changed in the 4.4 RC1 iteration and the attack vector described in the article has – to our knowledge - been mitigated.

"We also tried to reproduce the described exploit in the compiled AOSP builds that started showing up since Friday with no avail. However, we are looking into the unit to see if special scenarios could allow for similar exploits," he added.

BitDefender Botezatu's discovered two benign gaming apps featuring the original MasterKey Vulnerability in the official Google Play store two weeks after the problem first surfaced so his reassurance that there's no further hidden problems in Android along the same lines, at least for now, is welcome.

Bootnote

*Cydia is an application that lets fanbois search for and install software packages on jailbroken iOS Apple devices.

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021