Is Your Android Device Secure? New Vulnerabilities Raise Serious Questions (Part 1)

android icon

**UPDATED** as of 5:18 pm EDT

Ever heard of the “Master Key,” or know how your “weblogin Token” can be stolen? Both are serious issues that demand the question: “Is your Android device secure?” As an attorney, it’s likely that you use your phone or tablet to conduct business, including storing or discussing confidential client information. If any of the devices you use operate on the Android OS, you had better have the security of that information in mind, and know how to minimize your risks. In this three-part article, I hope to help you do just that.

First, what is the “Master Key,” and how does it affect my security…

(In Part 1, I will discuss the “Master Key” vulnerability, in Part 2, I will discuss the recently revealed security problem with Google’s “weblogin Token,” and in Part 3, I will talk about how Google’s piecemeal update system makes these vulnerabilities particularly worrisome, and what attorneys can do to protect themselves and their clients’ confidential information.)

A recent analysis revealed a new, disturbing vulnerability in the Android OS, ominously referred to as the “Master Key.” How disturbing? Apparently 99% of Android devices are susceptible. This vulnerability could potentially allow hackers to convert any app into a malicious Trojan without setting off the security system that Google uses to prevent apps from being modified, called the “cryptographic signature.”

Specifically, each Google app has the “cryptographic signature” safety feature which acts essentially like a seal to indicate when an app has been tampered with (akin to the safety seal on a bottle of aspirin). Google’s system is set up to see when the app has been changed by looking to see if the signature has been modified. However, the “Master Key” vulnerability would potentially allow a hacker to completely bypass the “cryptographic signature,” and insert malware into an app without Google’s traditional security measures being able to detect the modification.

In a previous post, I discussed two major security concerns for lawyers who choose the Android OS-based device: 1) that around 79% of all malware discovered in 2012 was Android-OS software, and 2) that updates for the Android OS did not originate from Google universally, but rather were provided individually by each device’s manufacturer, if and when the manufacturer decided to release the update. The high amount of malware and the piecemeal firmware update process makes it that much more difficult to secure against “Master Key” access.

Although the analysis indicates that most apps exploited using the Master Key would only give a hacker access to data stored within that app (such as SMS texts in a messaging app), it is also possible for the vulnerability to be exploited in apps with much greater security access (such as apps installed by the manufacturer or other apps with greater access).

By inserting a Trojan into system apps, a hacker would then have complete access to the phone, including any stored passwords and information. More serious, though, would be the potential for a hacker to “hijack” the device to make calls, send messages, operate the camera and record conversations. The hacker could even use the phone as a “zombie,” rendering the owner of the phone an unwitting accomplice to the hacker’s illegal activity.

Note: There are no reported instances of the Master Key vulnerability being used by a hacker, but, as you will see in Part 2 of this piece, just because Google hasn’t detected an app utilizing this vulnerability does NOT mean that it doesn’t exist.

Despite there being no cited examples of the “Master Key” vulnerability being used, when Bluebox presented its analysis revealing the existence of the vulnerability, it included a screenshot of a phone in which they were able to modify the essential system files of an Android OS device by exploiting the Master Key. The screenshot, which you can see here, shows that Bluebox was able to insert its name into the phone’s “Baseband Version string,” which Bluebox states is usually controlled and configured exclusively by the phone’s firmware.

According to Bluebox and Google, the newest updates to the Android OS will seek to patch the vulnerability (apparently the Galaxy S4 has already been patched, and the Google Play app store has been updated to recognize and delete any apps modified to exploit the Master Key). However, Bluebox reported that the availability of patches for Android devices is up to the individual device manufacturers to create and release the firmware updates, and for the users to install them. It is believed that the Android OS 4.3 will seek to address this problem, but phones with firmware that is modified by the manufacturer and phones that are not updated to the newest version will remain vulnerable…

[poll id=”4″]

**UPDATE**Researchers have identified an app that is allegedly an update to a banking app that utilizes the “Master Key” vulnerability to insert a malicious Trojan into the user’s device.

(To be continued Wednesday with a discussion of the “weblogin Token” vulnerability, and concluded on Friday with tips and suggestions of how Android OS users can protect themselves from hackers attempting to utilize these vulnerabilities.)