Security expert Jay Freeman discovered Android 4.4 in addition a Master Key vulnerability that allows an attacker to bypass signature verification and malicious code detection, in the legal application to inject malicious code.
“Android Master Key vulnerability”of the earliest in the last 7 months was found, nearly 9 9% of the equipment will be affected. The Master Key vulnerability allows an attacker to modify any legitimate and digitally signed application, inject malicious code to steal sensitive information, access to devices and remote execution privileges.
The vulnerability by Bluebox Labs discovered and disclosed, the questions Google will in later Android 4.3 Jelly Bean version of the Fix. Google has been modifying the detection strategy to avoid Play Store application is modified malicious code and submit.
2 0 1 3 year 7 months, Chinese Android security squad also discloses the similar vulnerabilities.
Today Google released the Android 4.4 and named KitKat, the commitment to the version of the system has better security, and fix all of the Master Key vulnerability-however it turns out security is not absolute.
Security expert Jay Freeman the Cydia developer Saurik eponymous said, the same Master Key vulnerability is present in Android 4.4 KitKat system, and released a Python version of exp to demonstrate the vulnerability of the use.
“Last night the Android 4.4 code has been updated to AOSP that fixes another digital signature verification vulnerability Number #9 9 5 0 6 9 7, although this time the vulnerability is not serious, but it has been enough to pass the technology to achieve the use. In this article, I will show how by Python to write the use of the program.”
（Translator's note: sorry, the original patch of the exp is also pictures
The vulnerability is with the Android security team disclosed a vulnerability similar. Each application must be made by the developers to add a self-signed certificate for authentication, the Android application Manager program determines whether the shared information, to obtain the relevant permissions, and verify the developer's signature.
“Even if the system software is provided by the manufacturer of the signature, having the same signature certificate system software can do anything. In General, unless you are the manufacturer, we can do this. But by using a#8 2 1 9 3 2 1 vulnerability, anyone can steal these signature certificates” “this leads to a risk that external third-party application has just like you-signed certificate. When you install one you think is a harmless game, this seemingly up to you manufacturers to publish the application but get the system permissions.” “The vulnerability relates to Android application how to encrypt the authentication with the installation, modify the code but does not affect the signature.”
The EXP does not affect the signature of the case by modifying the application installation package, which installs into the system and get all permissions and data.
Although not currently available in the Google Play Store found that the use of the vulnerability to add malicious code to the program, did not find the Android users affected by the vulnerability, it is recommended not to unofficial Marketplace to download applications.