Android Security Squad, the China-based group that uncovered a second Android master key vulnerability that might be abused to modify smartphone apps without breaking their digital signatures.

The whole point of digitally signing a document or file is to prove the file hasn't been modified. The process uses a form of public-key cryptography. In Chinese version of hacking attack, malicious code can be added into the file headers, but the method is limited because targeted files need to be smaller than 64K in size.

The Hacker News

APK files are packed using a version of the widespread ZIP archiving algorithm. Most ZIP implementations won't permit two same-named files in one archive, but the algorithm itself doesn't forbid that possibility. So basically, two versions of the classes.dex file are placed inside of the package, the original and a hacked alternative.

When checking an app's digital signature, the Android OS looks at the first matching file, but when actually executing and launching the file, it grabs the last one. To Trojanize an app, then, all you need to do is shoehorn your malicious code into it using a name that already exists within the app.

The flaw is very similar to the first master key vulnerability recently announced by researchers from mobile security firm Bluebox Security. According to BlueBox, 99% of Android devices are vulnerable to this attack. Google has already patched the flaw and posted it to the Android Open Source Project (AOSP).

You can use ReKey, a free mobile app that's designed to patch the Android master key vulnerability that's present in an estimated 900 million devices that run Android and that could be exploited by attackers to take full control of a device.

Always get your apps from legitimate sources, always check to make sure the developer name is valid, and configure your phone so it doesn't permit installing apps from unknown sources.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.