New App ReKey Fixes Android Master Key Vulnerability

A new app called ReKey fixes the Android master key vulnerability, released by Duo Security.

The Android master key vulnerability disclosed a couple of weeks ago puts nearly all Android phones at risk of attacks that can modify legitimate apps with malicious code that would give the attacker full control of the device. Google has released a patch, but Android users are dependent upon their carriers for patches and none of them is in a hurry to push new versions to their users. So to fill the gap, mobile security firm Duo Security and Northeastern University have developed an app that fixes the vulnerability.

The Android vulnerability lies in the way that the operating system handles integrity checks on APK files. To exploit the vulnerability, an attacker can create a file with the same name as a legitimate APK file and modify it to include malicious code. The attacker can create a zip file in such a way that when the device checks the signature on the file, the attacker can force the OS to check the one with the legitimate signature and then have the other one loaded onto the device. Researchers at Bluebox Security discovered the vulnerability several months ago and have been working with Google on a timeline for a fix.

Google has produced a patch, but because of the way that the Android ecosystem works, there’s no telling when most users will get it. Carriers have control over when new versions of Android are pushed to users, and many of them have been slow to release updates to fix security issues.

The app from Duo Security and Northeastern is called ReKey and it’s available in the Google Play market and is designed to fix the vulnerability in the absence of a patch from the carrier.

“The security of Android devices worldwide is paralyzed by the slow patching practices of mobile carriers and other parties in the Android ecosystem,” said Jon Oberheide, CTO of Duo Security. “We are excited to bring forward innovative technology like ReKey that puts security controls back into the hands of users and enterprises.”

Image from Flickr photos of Nasaldemons.

Suggested articles


  • Susan on

    Hi, I read this post with interest, but when I went to download ReKey, it says it is for rooted phones only. I have not rooted my Droid Incredible 2, and at this point am not sure how comfortable I would be doing it. Does this mean that those of us with stock phones must be vulnerable to a master key attack?
    • Brian Donohue on

      Google has already patched the vulnerability, but, unfortunately, Google does not push updates to Android users. Only the service providers (AT&T, Verizon, etc.) can push an update to your device. So, until [whoever your provider is] ships out the patch, the only option is to download ReKey, which is only available for rooted phones - probably because of the device access it requires. Does this answer your question?
  • Paul on

    "Yes" would have done ;)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.