Security

No spin, no bullshit, just clear simple talk about what's going on this time

Some real talk about this exploit that the Bluebox security team discovered is needed. The first thing to know is that you’re probably affected. It’s an exploit that works on every device that’s not been patched since Android 1.6. If you’ve rooted and ROM'd your phone, you can freely ignore all of this. None of this counts for you, because there is a whole different set of security concerns that comes with root and custom ROMs for you to worry about.

If you don’t have the infamous “Unknown Sources” permission box checked off in your settings, this all means nothing to you. Carry on, and feel free to be a little smug and self-righteous — you deserve it for eschewing sideloading all this time in case something like this could happen. If you don't know what this means, ask someone

For the rest of us, read past the break.

More: IDG News Service.

Special thanks to the whole Android Central Ambassador team for helping me make sense of this!

What is it?

All apps on your Android are signed with a cryptographic key. When it’s time to update that app, the new version must have the same digital signature as the old or it won’t overwrite. You can't update it, in other words. There are no exceptions, and developers who lose their signing key have to create a brand new app that we have to download all over again. That means starting from zero. All new downloads, all new reviews and ratings. It's not a trivial matter.

The system apps — the ones that came installed on your phone from HTC or Samsung or Google — also have a key. These apps often have complete administrator access to everything on your phone, because they are trusted apps from the manufacturer. But they're still just apps.

Still following me?

What we're talking about now, what Bluebox is talking about, is a method to tear open an Android app and change the code without disturbing the cryptographic key. We cheer when hackers get around locked bootloaders, and this is the same sort of exploit. When you lock something, others will find a way in if they try hard enough. And when your platform is the most popular on the planet, people try very hard.

So, someone can take a system application from a phone. Just pull it right out. Using this exploit, they can edit it to do nasty things — give it a new version number, and pack it back together while keeping the same, valid signing key. You could then potentially install this app right overtop your existing copy, and you now have an app designed to do bad things and it has complete access to your entire system. The whole time, the app will look and behave normally — you’ll never know something fishy is going on.

Yikes.

What’s being done about it?

The folks at Bluebox told the entire Open Handset Alliance about this back in February. Google and OEMs are responsible for patching things to prevent it. Samsung did its part with the Galaxy S4, but every other phone they sell is vulnerable. HTC and the One didn’t make the cut, so all of HTC’s phones are vulnerable. In fact, every phone except the Samsung Touchwiz version Galaxy S4 is vulnerable.

Google hasn’t yet updated Android to patch this issue. I imagine they're working hard on it — see the issues Chainfire has went through rooting Android 4.3. But Google didn’t sit idly by and ignore it either. The Google Play store has been “patched” so that no tampered apps can be uploaded to Google’s servers. That means any app you download from Google Play is clean — at least where this particular exploit is concerned. But places like Amazon, Slide Me, and of course all those cracked APK forums out there are wide open and every application could have bad JuJu inside it.

So this is a really big deal?

Yes it’s a huge deal. And at the same time, no, it’s really not.

Google will patch the way Android updates apps or the way they are signed. In this cat-and-mouse game, this is a normal occurrence. Google releases software, hackers (both the good kind and the bad kind) try to exploit it, and when they do Google changes the code. That’s how software works, and this sort of thing should be expected when you have enough smart people trying to break in.

On the other hand, the phone you have now may not ever see an update to fix this. Hell, it took Samsung almost a year to patch the browser against an exploit that could erase all your user data on just some of its phones. If you have a phone that you expect to be updated to Android 4.3, you will probably get patched. If not, it’s anybody’s guess. That’s bad — very bad. I'm not trying to slag on the people who make our phones, but truth is truth.

What can I do?

Vulnerable

  • Don't download any apps outside of Google Play.
  • Don’t download any apps outside of Google Play.
  • Don't download any apps outside of Google Play.
  • In fact, go ahead and turn off the Unknown Sources permission if you like. I did. Anything else leaves you vulnerable. Some “Anti-Virus” apps will check if you have unknown sources enabled if you’re not sure. Get into the forums and find out which one everyone says is the best if you need to.
  • Express your displeasure at not getting essential security updates for your phone. Especially if you’re still on that two-year (or three-year — hello Canada!) contract.
  • Root your phone, and install a ROM that has some sort of fix -- the popular ones will likely have on very soon.

So don’t panic. But be proactive and use some common sense. Now is a really good time to stop installing cracked apps, because the people doing the cracking are the same sort of people who could put evil code into the app. If you get any update notices that come from a place other than Google Play, tell somebody. Tell us if you need to. Figure out the people who are trying to pass on these exploits and give them a heavy dose of public shaming and exposure. Cockroaches hate the light.

This will pass like security scares always do, but another will step in to fill its shoes. That’s the nature of the beast. Stay safe guys.

 

Reader comments

Making sense of the latest Android 'Master Key' security scare

84 Comments

Well, what about the Amazon Appstore? Does thus apply to them and the way they upload APKs on there servers?

Posted from my Verizon Galaxy S III via Android Central App

He already said that:
"places like Amazon, Slide Me, and of course all those cracked APK forums out there are wide open"

What about side loading apps from the Android central forums that people post, like the Google wallet to sideload for verizon GNex phones and XDA Developers site where I have sideloaded flash on my phone because Flash won't let you load unless you have ICS or lower. Always assumed XDA was a trustworthy site and kept a tight ship there

I would generally consider most things you see on XDA *fairly* trust worthy, since so many people there are avid programmer and would instantly blast an app if it was discovered to be doing something other than advertised.

That said, there's nothing there to specifically *prevent* an app shared on XDA from doing something like this, or any other security exploit for that matter.

The long and short: *ANYTHING* downloaded from *ANYWHERE* other than the Google Play store could potentially malicious code. Google has a kind of anti-virus/mal-ware code checker (called "Bouncer", I think) that scans everything in the Play store for malicious code to prevent stuff like this from being downloaded from there.

TL/DR: Turn off "Unknown Sources" and this whole thing doesn't apply to you.

Yes, those, too. Unless you absolutely know and trust the source, you're taking a risk doing any sideloading.

Even if you DO know and trust the source, sideloading is bypassing any security that Google has put in place on the Play Store. So again, you're taking a major risk by sideloading anything.

Tell em Jerry! All the other sites *cough BGR cough* are sensationalizing this story as per usual -.- it's not a real problem unless you side load apps from other sources. Keep up the good work.

That's because BGR is owned by Apple and anything that makes Android look bad, they will jump on it as per usual.

You should see some of the comments on Engadget's little write up they did yesterday!

One person even went to the extent to say "Android is just as bad as spam - I don't need it"...
Someone apparently forgot to tell this iTard that every OS has its loopholes, even the ones made by Apple.

Yeah just ask iPhone users that bitch every time iOS gets a major update and still does not have the stuff android users have had for years.

Posted via Android Central App

Check the iOS 7 release comment boards and see what people are bitching about not having in this release. "A lot of why don't we have it android does". Like file managers. Picture folder managers. Music managers all on the go and not having to plug into a computer to manage it. Live wallpapers. Real gif support. You know stuff like that. And I also have apple devices. So I know stuff apple does better they android and stuff android does better than apple.

Posted via Android Central App

I use blacked apps from team black out, unfortunately, the patching process will probably hamper their efforts cause this is essentially what they do, just (hopefully) without any malicious code injection.

Posted via Android Central App

This is unrelated.

They pull the APK from their phone like you should be able to, change the resources and sign them under their own key.

They basically make the version install signed by them, not the original developer.

Fair enough, was just concerned cause I've had some of the .zip CWM installed apps attempt to update with the normal version through the play store. G+ for example.

Posted via Android Central App

I was just wondering how this would affect FP. I do have Lookout installed and HOPE that this is securing my phone. I did have one Lookout notice when I was driving using Google Navigation. It scared the crap out of me. Just reminded me to go have a look and see what it was.

Thanks AndroidCentral and Jerry for this article. This is the MAIN reason I follow you guys more closely than all others. You provide excellent information that I can understand and share with others.

Happy Independence Day!!

I'm late with this, but I agree with you and your concerns, too. And, Happy 4th of July and a good day to you (and everyone else! If I may say so.) :-)

(I appreciate Android Central, Mobile Nations, & all the readers, too!)

Posted via Android Central App

Having side-loading turned on is still not a problem so long as you're not doing something you shouldn't be.

Don't download pirated/cracked APK's. Period. If you do, and you get mal-ware, you deserve it. Period. Sorry if that sounds harsh, but it's the truth. Most of the time when these mal-ware "scares" come out, that's where it's coming from.

If you get an APK from an email or web page, it's still going to give you the "installer" screen with the permissions (and a notice that it's replacing an existing app) and you will have to actively click "Install" for there to be an issue. I would strongly recommend not installing any APK sent in an email unless you can verify it's from a trustworthy source. And that also means being able to make sure wherever your buddy got it from is on the up and up. (see comment about pirated apps above)

Just don't go installing stuff from outside the Google Play store unless your *really* confident that you trust the source. That's good practice even if your phone doesn't have this vulnerability. And, if you do side-load an app, pay close attention to that installer screen, especially if it says it's going to replace an existing app.

How did this article blissfully overlook the Verify Apps setting in Google Settings?

We won't know for sure whether it catches this exploit until Bluebox reveals its method. But this would appear to be exactly the kind of thing that setting was designed to stop, especially since Google has been aware of it since February.

I had Verify Apps set and it did not work properly, for me at least. I have no clue why it just went back to the main app screen when attempting to use it but I had to get a friend help me disable it is all I know. I will attempt to use it again as it was upon installing apps after an OS update.

yep so basically a non issue, however I do think it represents a problem how the manufacturers have to control updates, that's why I naturally gravitate towards Nexus devices.

And yet Google has known about the issue for at least 5 months and ALL the Nexus devices, like my Nexus 10, are still vulnerable and unpatched by Google...

I would think any Android device would be affected by the reading of it. I own a tab and I am looking it down.

This should not be "scary". Just don't install apps from untrustworthy sources, pay attention to app permissions when you do install an app, or turn off side-loading completely.

Odds are, no app has ever used this exploit and part of the reason Bluebox isn't releasing the details yet is that they don't want to tell the bad people how to do it.

Just be smart with what you install, and you have nothing to worry about.

It might... it might not though. The problem with malicious code with administrative access (ROOT if you will) means it can now install code anywhere. Meaning if you delete the app, it may have installed a script to run it afterward. When attacking a device breaking in is only one part of the equation. Keeping access and hiding yourself is the other part. This applies to any kind of security compromise. Let's just hope that it doesn't run a "rm -rf /" upon uninstallation.

THIS, was a very informative and helpful article from Jerry & Android Central! It was explained very well. Thank you guys!

Posted via Android Central App

What difference does it make when governments are already spying on us and Facebook are taking out phone numbers and giving out private information?

I'm sure Amazon is safe and I hope humble bundle are too. Smells of "Google only want you to buy apps from them" propaganda.

I do agree that these cracked apps sites are the worst and most likely to have nasty stuff on them.

Posted via Android Central App

Just because you have no privacy now doesn't mean you shouldn't work to attain it. Ideally the government wouldn't be so intrusive, but since 9/11 all governments seemed to have taken the wrong steps. Yes, all. Besides, the code loaded by this stuff, even uploaded through Amazon (I can upload any app I want, free of charge and it may not be mine and may be modified, you wouldn't know it), might not be stealing your information just to spy on you... it might be stealing your banks password through the mobile app, using the apps ability to transfer all your money out of your account into another account, stealing your social security number, reading your email which might include backups of documents such as your tax returns (SSN anyone?), and generally slowing down your device.

Fine enough. But I think I will also go and put my tinfoil hat on as well. :-) it could very well be the case but I don't think we should all panic and make things worse. I have Sophos on my phone that scans for virus and so on.
Remember when computers were the big thing and Microsoft were always getting big mad viruses? The world panicked all the time. Let's not get crazy or we will all end up getting what we wish for and android will be locked down......it will become.....IOS....No!!!!!!!! :-P

Posted via Android Central App

I side-loaded the new camera app that Alex Dobie suggested a few days back.
Is my phone now tainted?
Can't Blue Box make an app that checks for that and remove it instead of scaring us and leaving us in the dark?

Check for what? Have a known MD5 sum for EVERY APP OUT THERE?! This is really the only way to know. The modifications to the app could be anything. It could be anything from a practical joke to something that forwards all your data to a proxy server... oh yeah, and HTTPS doesn't matter here, because they get the handshake, certificates etc. Bought a book on your tablet? There's your CC information.

As far as I've read, Bluebox has not yet released the details on *how* to do this to the public, they've only announced that *they* have discovered that it's possible. It's entirely likely that this has never *actually* happened yet.

That said, even if there are apps out there like this, it's a matter of how much do you trust the source of the app? Not all side loaded apps pose a security risk. Many are going to be perfectly safe.

If I find something on XDA from Chainfire, for example, I'm not going to think twice about installing it if it does something I want on my phone. It all comes down to not installing apps from outside the Play store unless you feel that you can trust (at least mostly) the originator.

Honestly, if you don't know who to trust, just turn off side-loading and it's a non-issue.

As usual, another great article from Jerry. Thanks for explaining the issue and informing people of the potential problems and fixes.

Posted via Android Central App on TMO Note 2 running Jedi Master 14

I'm glad my Galaxy S4 with Touchwiz is immune but Google, all OEMs, and all carriers need to get on board quick to get this patched for ALL other Android based devices....even those that are more than a couple years old.

How can I know if the apps that I write myself and install through adb are dangerous or not?

## strange voice cackles inside my head telling me to relax, install it, and pay no attention to the nerd behind the keyboard ##

I know this is a joke, but for those that might be concerned for your own code... why are you programming with root permissions if you're unsure? :P Emulators are great, and if you're pushing development builds to your live device, you get what's coming to you. There's a reason most people go through a testing phase :P

You mean Android has security and stability issues? Who knew? Yeah a little salt in the wounds helps prevent viruses. Before you start your flame war even I would over look Android for a full version of the Galaxy Note 8 LTE. The most complete device ever created that you can't get with full features in North America. Way to go Samsung. Thanks for letting us North American consumers know we're not good enough for your top products. End rant.

BGR is to legitimate tech reporting what Taco Bell is to legitimate Mexican food.

*edit* this was supposed to be in response to oddom's comment earlier.

They said that the GS4 has a patch in place. Does that mean that when the GSIII gets updated to Android 4.2.2 (with the Galaxy S4's TouchWiz), will it have a patch in the software as well?

That photosphere camera app you uploaded on here the other day better not have this exploit on it **evil eyes at Alex**

Not too mention the Sunbeam.apk app being shared like crazy last week.... :-\

Posted via Android Central App

There has been plenty of malware found on apps in the Google Play Store so I wouldn't consider this a silver bullet.
Rooting with another supposedly fixed rom is playing a dangerous game and I would not recommend it.

Agreed. I laughed at the comment of going of and rooting the phone. That's saying jump out of the frying pan and into the fire. :-)

Posted via Android Central App

Yeah I was surprised to see that too. Lots of malware issues in the Google Play store so I don't exactly trust them to keep malware out. Whatever sort of scanning they are doing isn't working very well.

Google "malware in play store"

As the article says, apps that have been modified this way can't be uploaded into Google Play. 

Bluebox won't tell anyone any of the details. Requests for more information on the methods are answered with "we'll cover it all at our Blackhat 2013 talk in Vegas at the end of the month."  But they told Google (and the OHA), who was able to quickly "fix" the Play store.

We'll know exactly how it's done in early August. 

Speculation below this line :P

----------------------------------------------------------------------------------

I think Google is fixing this in 4.3 by changing how apps are granted superuser permissions and how they can act with the system. If you poke around the Internet and read of the issues Chainfire had getting the 4.3 leak correctly rooted, and how the apps that need root permissions are still having issues, you have to come away thinking there will be major changes in 4.3.

We won't know more until the code is released, which I think is taking longer than we would like because of these security fixes.

Perhaps that's the reason 4.3 exists then. All we've seen so far has been superficial or small under the hood stuff, which all could have been done in a 4.2.x release. Since it wasn't, it would seem you're right on the money.

Posted via Android Central App

Thanks jerry. Been waiting on this article ever since I saw the this is the end of android and there is nothing you can do to stop it type of writing on venture beat. Wish there was a way to downrate that from being hot on g+

Posted via Android Central App

Isn't this something that could be patched through the play store? like getting the google keyboard recently, you (meaning el goog) could issue a patch that way?

What worries me the most is that Android lacks the ability to distribute Security Updates directly to all active OS levels to minimize the risk of exposure, and to distribute them quickly. Applying a patch in 4.3 will help to protect just a miniscule percentage of users.

Posted via Android Central App

While you're correct about Android's inability to quickly "patch" issues like this, it seems like Google is working to make Android less "monolithic" with some changes coming in 4.3 that might make this possible in the future.

The problem with "patching" is that some things require OEM modification and carrier approval. Both of those are big bottle necks in getting that new software out to devices. In many cases, the carriers really seem to be the problem, at least in the US.

This happens to Windows all the time. Computer software will be exploited, it will happen no matter how many times Google patches Android; just like no matter how many times Microsoft patches Windows someone finds a new exploit.

Just be cautious on what you download and if an app bricks your phone there are warranty replacements. If your phone breaks your life won't come to a screeching halt.

"...the new version must have the same digital signature as the old or it won’t overwrite."

The wording is incorrect. The applications should be signed with the _same_ key, not necessarily have the same digital signature. They should probabilistically be different.

Google simply needs to patch this vulnerability so we can download from outside sources without having to worry. There are very good reasons to sideload, such as if an app gets pulled from the Play Store for reasons similar to Falcon Pro. Sometimes I have had to purchase games from the Amazon App Store because for some reason, the Google Play Store entry says my phone is incompatible (this means you, EA!).

This article mentions repeatedly "Don't download any apps outside of Google Play".
Obviously author has no idea that Google Play has no application approval process and anything that gets submitted is available for all to be affected.

Amazon, SlideMe have at least a strict app approval process (do a search and find out) and developers not only can they not get their suspicious apps through to these stores, but any junk apps dont get through anymore, totally unlike Google's store.
Google will only remove apps once they get informed about such cases, which could take even a very long time till they get around to it.

That being mentioned, such stores do verify app authors if they are legit owners and not let anyone submit known apps such one I have noticed on Play store for a specific Gameloft game that was not even submitted by Gameloft was on that store for 3 months or so. So stores need to do their due diligence in terms of who is submitting the app. Likewise users need to be careful who is the publisher of the app and use appropriate scanning apps that have been updated.

Ever wondered why Google Play has no such menu as Latest Apps or New Apps? The answer is, to Google the # of apps is a business to compete with Apple # of apps and Google will not dare show such a "Latest Apps" to show how much malicious junk is in there. Second reason Google does not have such a listing is to make it harder for scrapers making money by redirecting users to Google Play store for driving installs.

In honesty this article is an advertorial promoting the above mentioned company and their app (like every app security company does nowadays) that apparently warns users if app is sourced from outside of Google Play for a feature that should be laughed upon.

I agree. I see comments all the time saying "it's nothing" as long as you don't sideload.

Additionally, I can't believe people think that changing ROM's even solves the problem.

"Root your phone, and install a ROM that has some sort of fix -- the popular ones will likely have on very soon"

There's a demo of the exploit changing the ROM data also... so telling someone to go and get a ROM from "out there" is irresponsible.