KitKat gets fix for Android app tampering bug, but earlier versions still vulnerable

Summary:Google has released a fix in Android 4.4 KitKat for a bug that can be used to stealthily manipulate apps on Android 4.3 and below.

Android devices running versions of the operating system below KitKat 4.4 are vulnerable to a new bug that could allow an attacker to modify an existing app without the OS knowing anything is wrong.

Discovered by iOS jailbreak hacker Jay Freeman, also known as Saurik, the new bug is similar to the so-called 'master key' flaw that was reported to Google in February and publicly  disclosed this July .

The bug was said to affect all Android devices since at least version 1.6, and allowed an attacker to tamper with a legitimate Android app without breaking the cryptographic signature that Android uses to verify its integrity and authenticity.

Google made changes to Google Play to block any trojan apps that exploited that particular bug. However, since then, other researchers discovered another, similar bug.

Freeman reported the bug he discovered — the third such flaw unearthed in Android — to Google back in July, and the flaw was subsequently fixed by the company in Android 4.4.

As Freeman notes, the new bug is "weaker" than the two previous ones, but still exploitable and can, for example, be used to jailbreak Android smartphones earlier than Android 4.4.

Paul Ducklin, head of Sophos Asia Pacific, said the bug fixed in 4.4 stems from the way Android interprets the ZIP file-based storage containers that are used in Android's app file formats (APK). Basically, there's a loader and verifier and it's possible to show different files to each process. "Very simply put: the loader can be fed malware but the verifier will never see it," Ducklin wrote in a blog post.

The question now is how long it will take for Android handset vendors to roll out the latest OS to users.

"Even though Google had the first of these bugs carefully disclosed to them by Bluebox in February, their Nexus device line did not see a fix until July (as part of 4.3), and many devices even today have yet to be patched. The story for the second bug is even worse: here's hoping the third bug causes more updates," Freeman wrote.

Further reading

Topics: Google, Mobility


Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, s... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.