Posted by: David Harley | July 12, 2013

Android Masterkey turns out to be just a duplicate

I admit it: I let myself be rushed into commenting on Bluebox’s blog on its discovery of an Android vulnerability that bypasses the verification by cryptographic signature that is supposed to prevent the installation of malicious or at least unauthorized apps. Well, journalists and PR agencies have their own pressing deadlines and therefore tend to prefer soundbites right now to a comprehensive appraisal next week. But I had, of course, no privileged information as to the exact nature of the vulnerability Bluebox were teasing us with.

So, having had a little more time to consider, and having received a little feedback on the ESET blog article that quoted me, I returned to the topic with an analogy – Darkleech and the Android Master Key: making a hash of it – that would make it clearer what Bluebox seemed to be describing. My exact words (with a little editing to reduce the length):

… Bluebox seem to have found a way of modifying the code without changing the file hash.

Which sounds a bit like having someone knocking the head off a statue and no-one noticing that it’s happened because its weight hasn’t changed. I can’t think of any circumstances under which this disfigurement wouldn’t reduce the absolute weight of a statue. … However, if you chose, for whatever unlikely reason, to monitor the integrity of a statue only by monitoring its weight, an attacker could conceal the decapitation by interfering the set of scales on which the statue happened to be sitting. I imagine that the Bluebox attack will turn out to be something like this: the code has been changed, and the cryptographic signature no longer matches, but some way has been found to prevent the Android verification system from noticing the discrepancy. If you like, it looks at the scales instead of the statue.

Which turns out to be correct in principle, but I didn’t expect the vulnerability to be quite as lame as the article here suggests it is/was (apparently there was a patch some time ago: the problem is with the distribution of updates, not unexpectedly). If the latter description is accurate, the problem is this. An APK is an archive file, and that archive format is permissive enough to allow duplicate filenames. According to Pau Oliva Fora of ViaForensics. “The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK – the injected one that can contain the malicious payload and is not checked for signature at all.” A bit like the companion viruses of yesteryear, though without the ability to self-replicate.

Or if we return to the statue analogy, you don’t have to change it in anyway: all you have to do is put another statue with the same name next to it, in such a position that the spectator will see the imposter rather than (or ahead of) the real thing. So you may think you’re looking at Rodin’s The Thinker, when you’re really looking at Dark Avenger’s The Stinker. OK, probably not Dark Avenger’s: we haven’t heard from him in a long, long time…

David Harley
Small Blue-Green World
ESET Senior Research Fellow


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: