Android Exploit Found (Bug 8219321 & 9695860) !!! Fix Available

Androidexploit

Some of you might have already heard of this issue but I am sure many out there are still unaware about this, so better buckle up and READ carefully.

What is this fuss all about?

This basically involves two bugs in the Android source code, namely Bug 8219321 and Bug 9695860, which both allow knowledgeable hackers to gain full access to the Android system and applications, access user data and ultimately gain full control of the device. Hackers can take advantage of a flaw between the signature verification step and app installation to insert malicious payload into the APK and allow it to be installed.

Bug 8219321

This bug was initially reported by Bluebox Labs. Bluebox Labs reported about a discovery of a “master key” that allows an app to be verified as valid although it has been tampared with, which allows malicious codes to be inserted into the app. Further information and technical stuff can be read here. Google has quietly patched this vulnerability, but the updated ROMs are yet to shipped to Nexus devices. The known devices so far that have this fix are the variants of Galaxy S4 and HTC One running Android 4.2.2. CyanogenMod has also applied this patch recently as seen here.

Bug 9695860

Two days after the “Master Key” exploit went public, another similar bug was also reported by a China-based Group named “Android Security Squad” (translated name), which is obviously about the Bug 9695860. The original post is in Chinese, but thanks to Google (irony…lol), we can have a vaguely understandable translation. Like its brother, it also allows malicious codes to be inserted into seemingly harmless APKs. This flaw was discovered when the squad was examining a patch by Google, so at least we came to know that this has already been acknowledged, but still, older devices which do not receive updates anymore (a common Android problem, device support gets dropped very fast) are vulnerable to this bug.

Am I affected?

Lucky for us, there is a very simple method to find out. Just install SRT AppScanner from Play Store and run it. It will tell you whether the bugs are present or not. There are a few more similar apps in Play Store that does the same thing, but SRT App Scanner is recommended because it checks for both the Bugs 8219321 and 9695860.

So who is safe?

You are invulnerable (safe from the bugs) if you are running:

  • Stock ROMs that received the patch in a software update
  • CyanogenMod 10.1.1 stable
  • CyanogenMod nightlies starting from 8th July (maybe 7th is patched as well, depends on build time)
  • Any other CyanogenMod/AOSP-based ROMs which include the patch. Most of them directly inherit CyanogenMod’s libcore and if the build was created after 7th July, it’s patched.
  • Custom ROMs that are patched

How to fix??!!!

The easy wasy? Use a Custom ROM or plead your OEM to fix it ASAP (which most likely won’t happen). But there is also another simpler method, by utilizing the well-known Xposed framework! This framework allows your device to do miraculous things, like protecting your privacy or theme your ROM. Now, XDA Recognized Contributor Tungstwenty has come up with an Xposed module to combat these bugs!

Requirements:

  1. An ARM-based device (this is for Xposed framework to work)
  2. Running Android 4.1.x and above
  3. Rooted device

Installation:

  1. Make sure the Xposed Framework is installed.
  2. Install the Master Key dual fix module.
  3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key dual fix.
  4. Reboot
  5. You should now see an image similar to the one below when opening the app. The green text shows that the module is active and the 2 vulnerabilities have been patched. To double check, run SRT App Scanner again, it should now report as safe if it  had earlier reported that your device was infected.

dualfix

Any reports or feedback about this module please refer to the XDA thread.

So guys, remember not to install APKs from unknown sources and always download from Play Store if possible to stay safe.



Ryuinferno

A not-so-developer developer, active in the XDA-Developers Forum. Still learning things on the run, but knowledgeable enought to identify frauds and can't stand to see more and more wannabe "developers" making false claims about their "work".

4 Responses

  1. lopestom says:

    Good notice for us. Thanks for this.

  2. Mauricio Najera says:

    like always, x86 devices are forgotten…

    • Ryuinferno says:

      This is because not many developers have x86 devices, and it is not as common as ARM devices…Xposed is trying to launch support for x86, but not many have tested it to confirm whether is it working or not…if you have sufficient adb knowledge are interested in testing, please refer to the Xposed framework thread on XDA…

  1. July 30, 2013

    […] #1786 Hey Chevy, just wanted to plant a seed for when/if you get time. I noticed the latest "master key" exploits have been patched back to CM7, so new builds for at least Gingerbread based devices would […]

Leave a Reply

Your email address will not be published. Required fields are marked *

*