1. Download our Official Android App: Forums for Android!

Master Key, Bluebox, root fix

Discussion in 'Android Devices' started by ironass, Jul 17, 2013.

  1. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    (UPDATE See post #5)


    Earlier last month, RFP from BlueBox published a sneak preview of his upcoming BlackHat talk, detailing a vulnerability in the Android platform that affects nearly all Android devices. Soon after, a vulnerability of similar nature and impact was published on Chinese forum. Both of these "Master Key" vulnerabilities allow an attacker to modify the code of an Android package without affecting the signature of the package as verified by the package manager, which has serious implications when considering system-signed packages. From an end user perspective, the vulnerabilities allow an attacker to take full control of a user's device.

    Google will be issuing a fix for this in their newer releases of Android firmware. However, these fixes will take time to filter down the food chain from Google to carriers to users... if indeed, a firmware update is even issued for older devices that are now past End of Life, since this vulnerability affects 99% of all Android devices going back to Android 1.6, Donut.

    Not wishing to take a chance, I have installed an app, free from the Play Store, which is the result of a research collaboration between Duo Security, a cloud-based two-factor authentication and mobile security company, and Northeastern University's System Security Lab (NEU SecLab) and patches the, "Master Key", vulnerabilities on rooted devices.

    The patch is not phone, device or firmware specific... you can whack it on any Android device that is rooted. Once activated it patches the device but should you flash a different firmware you will need to patch it again.

    The app is ReKey and can be downloaded from the Play Store

    Download

    Source

    [​IMG]
     

    Advertisement

    dynomot, webby62, Twinn and 4 others like this.
  2. avushkaa

    avushkaa Member
    Rank:
    None
    Points:
    43
    Posts:
    75
    Joined:
    Jul 4, 2012

    Jul 4, 2012
    75
    33
    43
    Female
    i installed this "ReKey'' but my phone started to freeze up on me.
    phone had 85% battery, left it on table for half an hour and then i pushed the power button but no lock screen.phone was sooo hot.
    then i opened the back case put the battery outside for 1 min and started the phone and battery showed up 42%.
    uninstalled the app.

    any idea why this happened?

    UPDATE : "Master Key" + "Bug 9695860" vulnerabilities - by Tungstwenty

    now i'm using this patch to sort out those two bugs.
     
    ironass likes this.
  3. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    Did you try wiping cache, dalvik and Fix Permissions after installation?

    There has been a newer release of ReKey in the last 12 hours that addresses the boot freeze problem.
     
  4. avushkaa

    avushkaa Member
    Rank:
    None
    Points:
    43
    Posts:
    75
    Joined:
    Jul 4, 2012

    Jul 4, 2012
    75
    33
    43
    Female
    no, i didn't.
    but interestingly when i scanned my phone with SRT Scanner it showed my phone isn't venerable against master key but that other bug mention in Tungstwenty 's post in XDA.

    later i used xposed modules patch to get secured against both bugs.
     
  5. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    Thanks for the, "heads up, on that Universal Fix avushkaa! :thumbup:

    You are running the very latest firmware for the SGSII which, as you point out, has the patch for the Bluebox bug. Thanks to the newly released SRT Scanner, it is now possible to check for this.

    However, perhaps more worryingly, as you have discovered, it also shows that there is no protection for the 9695860 bug using ReKey, as I explain in this update to another post...

     
    Brian706 likes this.
  6. avushkaa

    avushkaa Member
    Rank:
    None
    Points:
    43
    Posts:
    75
    Joined:
    Jul 4, 2012

    Jul 4, 2012
    75
    33
    43
    Female
    One of my friends asked me what to do regarding these bugs if his / her phone is not rooted. I told him / her not to install any non play store app. And maybe Samsung will update the firmware with the dual patch for all region.

    But is Samsung really gonna update firmware with patch for all region?
    And what really should people do if their phone isn't rooted?
     
  7. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    Google already have a patch for the second Master Key in the latest builds of Android code but, as far as I am aware, no release yet for it on any device, something which will take time I'm afraid.

    Good question. The SGSII is now EoL and Android 4.1.2 seems likely to be the last update unless there is a goodwill splurge with Android 4.2.2. Even then, would most carriers bother supporting it... I doubt it since there is nothing but goodwill in it for them.

    There might, in future, be an app from say, the Play Store, that could, like ReKey, provide protection.

    I think that the best option to-date, if you are on Android 4.0+, is the one you mentioned for the Dual Fix by Tungstwenty....

    Universal patch for "Master Key" + "Bug 9695860" vulnerabilities
     
    avushkaa likes this.
  8. Rxpert83

    Rxpert83 Dr. Feelgood
    Rank:
     #16
    Points:
    1,953
    Posts:
    17,910
    Joined:
    Aug 30, 2011

    Aug 30, 2011
    17,910
    13,145
    1,953
    Male
    Graduate Student
    MN
    Your best protection will always be downloading apps from the Google play store.

    This vulnerability , although it got lots of media coverage, really isn't that big of a deal. It requires you to side load the apk, which isn't an issue for the vast majority of users.

    Its the more advanced users that are doing this, but were also much further ahead of the curve in protecting ourselves.
     
  9. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    Agreed Rxpert83! Whilst the vulnerabilities themselves are very real neither of them to-date has been exploited.

    Downloading only from the Play Store currently offers the best protection. However, as this is a rooted forum, how many of us do not side load at one time or another.
     
  10. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
  11. ironass

    ironass Extreme Android User
    Thread Starter
    Rank:
     #20
    Points:
    1,343
    Posts:
    11,677
    Joined:
    Aug 17, 2010

    Aug 17, 2010
    11,677
    5,878
    1,343
    Male
    Keeping one step ahead of the tax man.
    Cotswolds, England
    It would appear that cyber criminals are not slow to catch on to the Android Master Key exploits and more examples are cropping up...

    More Exploits for Android 'MasterKey' Vulnerability Turn Up in the Wild

    Researchers find trojanized banking app that exploits critical Android bug

    The chances are that if you have received a firmware update for your device in the last 3 or 4 months, it will have a fix for 1 of the 2 identified exploits, Bug #8219321, but not the Bug #9695860 which Android has also issued a patch for but, as yet, has not made its way to any firmware releases yet.

    You can check to see which of the Bugs you are vulnerable to by installing and running SRT AppScanner, free from the Google Play Store.

    App developers are also starting to take these exploits seriously...

    Android Flaw Puts Bitcoin Wallet Apps at Risk of Theft

    Some degree of protection is offered by only using the Google Play Store and ensuring that installing apps from, "Unknown sources", is deselected on your device. Antivirus software will not prevent the Master Key exploits and may, or may not, detect them after installation.

    You should also ensure that you have the very latest firmware installed for your device.

    In the meantime, for rooted users, there is the fix mentioned earlier.
     
    Twinn likes this.

Share This Page

Loading...