Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Scanner detects vulnerabilities in Android master key

Zscaler : 07 August, 2013  (New Product)
An Android master key vulnerability enabling malicious code injections can be detected by a scanner released by Zscaler
Scanner detects vulnerabilities in Android master key

The recently disclosed Android master key vulnerability by CTO of BlueBox, Jeff Forristal, allows an attacker to inject malicious code into an Android application without the need to alter or invalidate the application’s digital signature. This impacts almost all current Android implementations and to make matters worse, patches cannot be issued directly by Google, but require individual handset manufacturers to provide patches for their unique Android implementation. To date, some have provided patches, while others haven’t.

This vulnerability allows an attacker to inject malicious code by placing duplicate executable files – such as classes.dex – into an application package. The package verification that occurs during installation is done against only the original, legitimate file and thus the .apk passes the verification. However, at runtime, the duplicate .dex file will also be executed. The attacker’s malicious code in the second classes.dex may for example, have a routine for leaking personal information such as email addresses or IMEI numbers. It could also send SMS or make calls without user consent. A second AndroidManifest.xml file supporting the second classes.dex, replaces the legitimate .xml file, so that additional permission declarations are injected along with necessary permissions needed by the malicious classes.dex file.

Open source tools are already available which allow for code to be injected into an .apk file and modify the Android manifest file to take advantage of this vulnerability.
 
While a user may notice the excessive permissions that are required by the second android manifest file at the time of installation, it’s quite likely that this attack will go completely undetected. As apps have already been spotted in the wild exploiting this vulnerability, Zscaler has developed a simple web application designed to scan any .apk to identify those apps that are exploiting the Android Master Key vulnerability. Our web app works by checking the integrity of the .apk file. Specifically, it dissects the .apk file to look for the presence of additional, malicious classes.dex files or any extra Android manifest files. You simply need to upload any .apk to the scanner in order to obtain a report indicating if the Android app is taking advantage of this vulnerability.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo