Early last month Google Inc. announced that it had finally patched an Android master key vulnerability that allowed attackers to modify applications for the mobile operating system and turn them into Trojan apps.
Jeff Forristal, chief technology officer of mobile security Bluebox Security, who discovered the master key flaw six months ago, said “there are multiple master keys.”
With the original master key, attackers could change legitimate apps without being detected. For instance in a separate Black Hat briefing researchers demonstrated how to alter code in the game Angry Birds to turn an Android phone into a spy phone that could record calls, take pictures with the phone’s camera and send personal data to a command and control server.
Forristal said it took just 17 days from the time details of the original master key flaw were released for an exploit to be found in the wild.
It took seven days from the time of the original exploit, he said, for similar bugs to be discovered in different places.
Forristal said solving the problems is hard because it could never be ascertained how fast carriers or providers of Android phones are installing OS patches or if they are installing patches at all.