The recently disclosed Android master key vulnerability by CTO of BlueBox, Jeff Forristal, allows an attacker to inject malicious code into an Android application without the need to alter or invalidate the application’s digital signature. This impacts almost all current Android implementations and to make matters worse, patches cannot be issued directly by Google, but require individual handset manufacturers to provide patches for their unique Android implementation. To date, some have provided patches, while others haven’t.
This vulnerability allows an attacker to inject malicious code by placing duplicate executable files – such as classes.dex – into an application package. The package verification that occurs during installation is done against only the original, legitimate file and thus the .apk passes the verification. However, at runtime, the duplicate .dex file will also be executed. The attacker’s malicious code in the second classes.dex may for example, have a routine for leaking personal information such as email addresses or IMEI numbers. It could also send SMS or make calls without user consent. A second AndroidManifest.xml file supporting the second classes.dex, replaces the legitimate .xml file, so that additional permission declarations are injected along with necessary permissions needed by the malicious classes.dex file.
Open source tools are already available which allow for code to be injected into an .apk file and modify the Android manifest file to take advantage of this vulnerability.
While a user may notice the excessive permissions that are required by the second android manifest file at the time of installation, it’s quite likely that this attack will go completely undetected. As apps have already been spotted in the wild exploiting this vulnerability, Zscaler has developed a simple web application designed to scan any .apk to identify those apps that are exploiting the Android Master Key vulnerability. Our web app works by checking the integrity of the .apk file. Specifically, it dissects the .apk file to look for the presence of additional, malicious classes.dex files or any extra Android manifest files. You simply need to upload any .apk to the scanner in order to obtain a report indicating if the Android app is taking advantage of this vulnerability.