Another Android “master key” bug revealed
Posted on 07 November 2013.
The existence of another “master key” bug that can be used to push malware onto Android users has been publicly disclosed by Jay Freeman (a.k.a Saurik), the technology consultant and security researcher who unearthed the bug around the same time as the previous two were found and disclosed in July.

Freeman didn’t go public with his knowledge then, and has instead notified Google of the flaw so that it can be fixed in the incoming update of the OS. But now, as the update is out, he shared the bug’s details in a blog post.

In short, the bug is similar to the second one found, and allows malware peddlers to exchange a legitimate, verified app with one that has had malware added to it, all without the device spotting the subterfuge and stopping it.

I won’t go deeply into the technical details, as Freeman’s post explains perfectly the problem, includes a PoC of an exploit for it, and explains how the bug can be patched. Alternatively, Sophos’ Paul Ducklin did also a bang up job explaining the bug’s intricacies.

Users who have updated their Android installation to the latest (4.4 - KitKat) version are the only ones whose devices currently can’t be compromised with malicious apps taking advantage of this flaw.

Since KitKat was released a little over a week ago, and Android updates are typically slow to reach actual devices, only Google Nexus owners are, so far, safe. Google aims to bring the majority of users up to this newest version as soon as possible, but realistic expectations and announced deadlines point mostly to updates in 2014.


The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Wed, Aug 27th