Android "Master Key" vulnerability - more malware exploits code verification bypass

Filed Under: Android, Cryptography, Featured, Google, Malware

Thanks to Rowland Yu of SophosLabs in Sydney for the technical work he put in behind the scenes of this article.

Researchers at SophosLabs have come across yet more samples of Android malware exploiting the so-called "Master Key" vulnerability.

These samples are different from the ones announced about two weeks ago by our comrades-in-arms over at Symantec.

So, although this vulnerability is not being widely used yet, there does seem to be more than just a passing interest from the cybercrooks in exploiting it.

As we discussed last month, the exploit doesn't actually crack any cryptographic keys, despite its name.

The "MasterKey" hole

The way it works is annoyingly simple.

Android apps are delivered in ZIP-format files with the extension APK (Android Package).

APK files have a specially named subdirctory that contains a digitally signed list of checksums for the rest of the archive; before installation, the files in the APK are extracted and compared with this list, called MANIFEST.MF.

If there's a mismatch, the APK has failed verification and is rejected.

But if you put two files with the same name into the APK, which is not normally a useful thing to do in a ZIP-format file, Android verifies the first, but installs and uses the second.

So it's like having a master key, because you can effectively "borrow" some third party's package, program files, data, product name, icons, and digital signature...

...yet install and run something that the third party has never even seen, let alone tested or approved for use.

A bad bug - and although it's fixed in the Android open source codebase, Google simply isn't saying anything about how long it's prepared to wait for its handset partners to get the fix out to Android users around the world.

The "Master Key" malware

The Labs guys found three files that piqued their interest.

Two of them contained multiple copies of a file named AndroidManifest.xml.

Every app is supposed to have one, but only one, of these: it declares a bunch of important information, such as the name of the app; the system libraries it uses; and the Android security permissions it requires when it runs.

Modifying this file without re-signing the app ought to cause an error, not least because it means that the app might no longer have the security limitations claimed by its creator.

Fortunately, the modifications in this case have invalidated the APK, apparently because the crooks didn't reconstitute their hacked versions of the original files correctly.

There doesn't seem to be a lot of doubt, however, that malware infection was what they intended, since the executable code in the offending files has a range of functions, including:

  • Collecting data such as your installed applications, SMSes from your inbox, and the IMSI number (International Mobile Subscriber Identity) of your SIM card.
  • Connecting to a server at (That domain is registered but doesn't currently lead anywhere.)
  • Sending SMSes to a list of numbers in China.

The third malware sample did work.

It started life as an add-on pack called Fashion for a picture-based messaging app called Lexin.

But fitted out with imposter files for AndroidManifest.xml and classes.dex (the actual compiled Java code that runs the app), it turned into malware with the side-effects described above.

The original classes.dex and AndroidManifest.xml files make the cryptographic verifier see what it expects.

The cryptographic process during verification isn't cracked, it's merely deceived.

But the imposter files are what actually give the installed app its malevolent code and security permissions.

What to do?

You can greatly reduce the risk of infection by Android malware, of this or any sort, by:

  • Taking apps only from the Google Play Store.
  • Running anti-malware software on your device.

You might also want to try emailing your phone or tablet vendor and asking them, "Do you guys have a fix for the 'Master Key' hole, and if not, can you tell me when to expect it?"

(Sophos Anti-Virus for Android, which is free from the Play Store, can detect, prevent and get rid of this malware, which it calls Andr/MstrKey-A.)

, , , , ,

You might like

5 Responses to Android "Master Key" vulnerability - more malware exploits code verification bypass

  1. Thank you for the Sophos Android app. It's happily running on my Galaxy Note II.
    I've read articles from 2011 back indicating that the SHA-1 algorithm has been compromised.
    Does that appear to have any implication in this exploit?

    • Paul Ducklin · 789 days ago

      I wouldn't say SHA-1 is compromised (in the usual computer security sense of meaning "actually broken"). The insecurity of MD5, which uses a similar sort of algorithm to SHA-1 (and the SHA-2 family) led to some concerns that SHA-1 might be at risk, but IIRC it has not actually fallen yet.

      Nevertheless, SHA-3 was created for future reference, using a different sort of algorithmic construction that should give it resilience against the weaknesses that may exist in the earlier hashes.

      You can read an excellent summary (well...I would say that, I wrote it :-) here:

      Oh. The use of SHA-1 has no bearing on this exploit. The verification succeeds because the verifier consumes the wrong file, which contains precisely the content needed to compute the right hash. So this Android vulnerability would let you defeat *any* hash algorithm.

  2. Mr Vinny Sheridan · 788 days ago

    As someone who is very new to An Android Phone, am I vulnerable to this Master Key Malware if I am running your Anti-Virus software on my phone.

    • Paul Ducklin · 788 days ago

      The screenshot you see above with the "Fashion Version 1.1" icon in it is our anti-virus software blocking an attempt to install this particular malware.

      Patching the "master key" vulnerability *in general* will almost certainly need a firmware upgrade to your phone, supplied by the handset vendor.

  3. Lee · 747 days ago

    What contact should we use to report an exploit on Android? I have emailed but not had any reply?
    I can use my Galaxy S2 (Jelly Bean) that is locked and encrypted and call any number I like and also text and memo all while the screen is locked.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog