KitKat gets fix for Android app tampering bug, but earlier versions still vulnerable

KitKat gets fix for Android app tampering bug, but earlier versions still vulnerable

Summary: Google has released a fix in Android 4.4 KitKat for a bug that can be used to stealthily manipulate apps on Android 4.3 and below.

TOPICS: Google, Android

Android devices running versions of the operating system below KitKat 4.4 are vulnerable to a new bug that could allow an attacker to modify an existing app without the OS knowing anything is wrong.

Discovered by iOS jailbreak hacker Jay Freeman, also known as Saurik, the new bug is similar to the so-called 'master key' flaw that was reported to Google in February and publicly disclosed this July.

The bug was said to affect all Android devices since at least version 1.6, and allowed an attacker to tamper with a legitimate Android app without breaking the cryptographic signature that Android uses to verify its integrity and authenticity.

Google made changes to Google Play to block any trojan apps that exploited that particular bug. However, since then, other researchers discovered another, similar bug.

Freeman reported the bug he discovered — the third such flaw unearthed in Android — to Google back in July, and the flaw was subsequently fixed by the company in Android 4.4.

As Freeman notes, the new bug is "weaker" than the two previous ones, but still exploitable and can, for example, be used to jailbreak Android smartphones earlier than Android 4.4.

Paul Ducklin, head of Sophos Asia Pacific, said the bug fixed in 4.4 stems from the way Android interprets the ZIP file-based storage containers that are used in Android's app file formats (APK). Basically, there's a loader and verifier and it's possible to show different files to each process. "Very simply put: the loader can be fed malware but the verifier will never see it," Ducklin wrote in a blog post.

The question now is how long it will take for Android handset vendors to roll out the latest OS to users.

"Even though Google had the first of these bugs carefully disclosed to them by Bluebox in February, their Nexus device line did not see a fix until July (as part of 4.3), and many devices even today have yet to be patched. The story for the second bug is even worse: here's hoping the third bug causes more updates," Freeman wrote.

Further reading

Topics: Google, Android

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Too much work - they just don't care.

    Well it's an awful lot of work to maintain more than one release. Seems Google is following Apple's lead on this one and just forgetting about anything older than the last release. You know, they just don't care.
    • seriously

      I hate people who compare products when its their own mistake stop being such a dick if apple did that does not mean Google has to do the same and vice versa
  • this is a bug on Android

    on Windows it's a _feature_ . Whoever has a tendency installing something outside Google Play won't be protected much even when it's fixed, likewise it won't be any help to those who blindly installs apps without prior questioning the permissions.
    • on Windows it's a _feature_?

      Please explain, thanks
      • an explanation

        On Windows you install whatever binary without the code verification. Of course, there are capabilities to do that if the author of the executable had set it up that way. It's not mandatory as it is on both Android or some GNU/Linux systems, like Debian apt. The latter routinely verifies both the component's sha-sums and the digital signatures of an installed binary. Plus, on GNU/Linux there are trusted repositories, an unrealizable dream for the MS Windows (and Apple Mac OS X) users.
        • trusted repositories

          Wouldn't the Windows and App store qualify?
          • they would

            20 some years since the dawn of MS Windows. And BTW, it would be a good way to sue Microsoft for stealing this idea from the GNU/Linux and *BSD. Providing you could get most of software from there? But what is available? Firefox, Apache2, PostgreSQL, GNU Emacs? No those are all absent, you can dump this Windows Store in the garbage then.
            Can you make your own, like with apt?
            Regardless, it would be a good thing to sue MS and Apple for stealing this idea of "trusted repos" from the original inventors.
  • Just throwing this out there

    Technically you're probably not "Jailbreaking" Android as the article would suggest, rather, you'd be "rooting" the Android phone.
  • Google needs to change the way they manage the OS...

    Windows and Linux which run on many more devices than Android get regular updates. From closed source to open source, both do it regularly.

    Android is not some special case. The Kernel, and essential OS should be separate from drivers. Thus allowing Google to update Kernel, etc and let the manufacturers manage the driver/UI level updates.

    This isn't rocket science, and Google isn't run by stupid people...

    Either they don't care or it's not a priority... Which is sad considering how many people use Android.
    • Pretty sure ...

      ... that's the direction they're headed in.
  • Article implication

    1. You are careful with what you install-- mostly from the Play store, with a few from Amazon, etc.
    2. You check feedback on all installs, and only install programs which have a lot of positive feedback.
    3. You have a virus scanner on your Android phone.

    Nevertheless, a hacker can modify SOMEONE ELSE'S (??) binary in the Play store, or it can be modified on the fly (??), resulting in malware installed on your phone.

    Is this right? If so, how do you stop it??