Android devices running versions of the operating system below KitKat 4.4 are vulnerable to a new bug that could allow an attacker to modify an existing app without the OS knowing anything is wrong.
Discovered by iOS jailbreak hacker Jay Freeman, also known as Saurik, the new bug is similar to the so-called 'master key' flaw that was reported to Google in February and publicly disclosed this July.
The bug was said to affect all Android devices since at least version 1.6, and allowed an attacker to tamper with a legitimate Android app without breaking the cryptographic signature that Android uses to verify its integrity and authenticity.
Google made changes to Google Play to block any trojan apps that exploited that particular bug. However, since then, other researchers discovered another, similar bug.
Freeman reported the bug he discovered — the third such flaw unearthed in Android — to Google back in July, and the flaw was subsequently fixed by the company in Android 4.4.
As Freeman notes, the new bug is "weaker" than the two previous ones, but still exploitable and can, for example, be used to jailbreak Android smartphones earlier than Android 4.4.
Paul Ducklin, head of Sophos Asia Pacific, said the bug fixed in 4.4 stems from the way Android interprets the ZIP file-based storage containers that are used in Android's app file formats (APK). Basically, there's a loader and verifier and it's possible to show different files to each process. "Very simply put: the loader can be fed malware but the verifier will never see it," Ducklin wrote in a blog post.
The question now is how long it will take for Android handset vendors to roll out the latest OS to users.
"Even though Google had the first of these bugs carefully disclosed to them by Bluebox in February, their Nexus device line did not see a fix until July (as part of 4.3), and many devices even today have yet to be patched. The story for the second bug is even worse: here's hoping the third bug causes more updates," Freeman wrote.