Bluebox Security has recently gone public with an exploit that is said to be able to affect up to 900 million Android phones. And if that number doesn’t sound scary enough for Android users, putting it another way and you are looking at 99 percent of all Android phones that are in the wild. This exploit is referred to as ‘Master Key’ and it has apparently been around since Android 1.6 Donut — around 4 years now.
They key to all this is in the words though, Bluebox Security has said this “could affect” all of those devices. The could portion comes in here because while those numbers sound big and scary — Bluebox has gone about this the correct way and had already notified Google of this issue back in February. Furthermore, the route that could have affected most users (the Play Store) has already been fixed and taken care of from Google.
Basically, at this point the main way someone could be affected by this issue is from installing a bad APK file from outside the Play Store. This is something that far less than 99 percent of all Android users are doing. Anyway, now that we have hopefully driven home the point that while this sounds scary — it is not as bad as it could have been. That said, lets get into what the exploit is and how it works because the details are somewhat interesting.
Bluebox offered the following;
“The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature.”
They also went on to mention about how all Android apps contain a cryptographic signature and that is what Android uses to see if the app is legitimate. Or more to the point, to see if that app has been tampered with in any way. Basically, by being able to do this without breaking the signature — it would have been easy (for someone with the right knowledge) to trick Android into thinking a malicious app was perfectly harmless.
Otherwise, while Google has taken care of the Play Store, the rest of the update/fix process is up to the carriers and manufacturers. Bluebox Security has also said they will be discussing more of the technical details of this issue during Black Hat USA 2013 which runs from July 27th through August 1st.