The Android master key vulnerability disclosed a couple of weeks ago puts nearly all Android phones at risk of attacks that can modify legitimate apps with malicious code that would give the attacker full control of the device. Google has released a patch, but Android users are dependent upon their carriers for patches and none of them is in a hurry to push new versions to their users. So to fill the gap, mobile security firm Duo Security and Northeastern University have developed an app that fixes the vulnerability.
The Android vulnerability lies in the way that the operating system handles integrity checks on APK files. To exploit the vulnerability, an attacker can create a file with the same name as a legitimate APK file and modify it to include malicious code. The attacker can create a zip file in such a way that when the device checks the signature on the file, the attacker can force the OS to check the one with the legitimate signature and then have the other one loaded onto the device. Researchers at Bluebox Security discovered the vulnerability several months ago and have been working with Google on a timeline for a fix.
Google has produced a patch, but because of the way that the Android ecosystem works, there’s no telling when most users will get it. Carriers have control over when new versions of Android are pushed to users, and many of them have been slow to release updates to fix security issues.
The app from Duo Security and Northeastern is called ReKey and it’s available in the Google Play market and is designed to fix the vulnerability in the absence of a patch from the carrier.
“The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,” said Jon Oberheide, CTO of Duo Security. “We are excited to bring forward innovative technology like ReKey that puts security controls back into the hands of users and enterprises.“
Image from Flickr photos of Nasaldemons.