Early last month Google Inc. announced that it had finally patched an Android master key vulnerability that allowed attackers to modify applications for the mobile operating system and turn them into Trojan apps.

Guess what?

There may be more Android master keys lying around for attackers to exploit, according to a speaker at the recent Black Hat hacker convention in Last Vegas.

Jeff Forristal, chief technology officer of mobile security Bluebox Security, who discovered the master key flaw six months ago, said “there are multiple master keys.”

With the original master key, attackers could change legitimate apps without being detected. For instance in a separate Black Hat briefing researchers demonstrated how to alter code in the game Angry Birds to turn an Android phone into a spy phone that could record calls, take pictures with the phone’s camera and send personal data to a command and control server.


Android flaw allows hackers to alter apps
Android finally patches bug: Report
Alternative fixes for Android ‘master key’ vulnerability

Forristal said it took just 17 days from the time details of the original master key flaw were released for an exploit to be found in the wild.

It took seven days from the time of the original exploit, he said, for similar bugs to be discovered in different places.

Forristal said solving the problems is hard because it could never be ascertained how fast carriers or providers of Android phones are installing OS patches or if they are installing patches at all.

Read the whole story here

Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
Download Now