A few months ago, Jeff Forristal from bluebox.com discovered a security issue in Android system and disclosed it to Google in February 2013 (filed as Android security bug 8219321) another similar problem has also been highlighted a few weeks ago (bug 9695860)
These security issues allow exploiting signed Android applications (APK) by modifying the program they contain while maintaining the existing application signature intact. Such modified applications will appear signed by the original author so the exploit can be used by someone with bad intentions who could modify an application in a malicious way including a potentially dangerous payload.
These vulnerabilities have been patched by Google in their Android Open Source Project (AOSP) code, but not all OEM manufacturers have yet deployed these fixes so far. Smaller manufacturers (which is the case for most Chinese tablets, including Archos / Arnova) haven’t yet fixed all their products. Some modified versions of Android code such as CyanogenMod (CM 10.1) have already the fixes in place. According to bluebox.com, Google Play Store should be protected to received applications modified to exploit this security problem. Still, it’s quite easy for to malware type applications hosted on less protected Market places or downloaded from upload sites could easily infect unprotected devices.
We recommend that you make sure your device is patched against the Master Key vulnerability. If that’s not the case, stay safe and download apps only from official market places or trusted sources.
Check your device using Bluebox Security Scanner
You can download and install the free Bluebox Security Scanner application on Google Play Store. Amazon.com and getjar.com to verify if your device is vulnerable to these security bugsThis application will check if your device has been safely patched against Google “Master Key” security bugs 8219321 and 9695860, it will also perform an integrity check by for searching for installed apps that may be affected by this vulnerability.
Verified products against Master key vulnerability (Android security bug 8219321 and 9695860)
We are posting a short list of tested vulnerability on a few devices. Feel free to check your device with Bluebox Security Scanner and report the results in the comments section below. Please specify your full device reference (manufacturer and model), firmware version/build date and vulnerability result for both 8219321 and 9695860 bugs.Archos and Arnova products
| Date reported | Device (Manufacturer and model) | Device firmware version/date | 8219321 bug | 9695860 bug |
|---|---|---|---|---|
| 2013/11/15 | ARCHOS GamePad 2 | Android 4.2.2 2013/09/25 | Vulnerable | Vulnerable |
| 2013/08/12 | ARCHOS TV Connect | Android 4.1.2 firmware 4.1.5 | Fixed | Vulnerable |
| 2013/08/07 | ARCHOS Gamepad | Android 4.1.1 JRO03H/20121220.155836 | Vulnerable | Vulnerable |
| 2013/08/07 | ARCHOS 50 Platinum | Android 4.1.2 20130604.164753 | Fixed | Vulnerable |
Other Android products
| Date reported | Device (Manufacturer and model) | Device firmware version/date | 8219321 bug | 9695860 bug |
|---|---|---|---|---|
| 2013/11/16 | Google Nexus 7 (2013) | Android 4.4 (KRT16O) | Fixed | Fixed |
| 2013/08/07 | Cube U55GT | Android 4.2.2 (2013/09/13) | Fixed | Fixed |
| 2013/09/04 reported by sipdude | Cube U30GT2 | Android 4.2.2 Firmware 2.04 final 2013-08-10 | Fixed | Vulnerable |
| 2013/08/07 | Sony Xperia Z (C6603) | Android 4.2.2 (10.3.1.A.0.244) | Fixed | Fixed |
| 2013/08/07 | Google Nexus 10 | Android 4.3 (JWR66V) | Fixed | Fixed |
| 2013/08/07 | Onda V972 | Android 4.2.2 20130726 | Vulnerable | Vulnerable |
Source:
Jeff Forristal blog article
Blackhat USA 2013 security conference : Forristal talk
Android Security Squad (安卓安全小分队) blog article and English translation
Thanks cajl / Jbmm.fr for his feedback.
You might also like:
-
Tronsmart T428 rooted Android 4.2.2 JellyBean firmware (update 2013/05/29) -
Arnova 10 G2 Android 4.03 ICS custom firmware update with root and Google Play Store released -
Arnova 90 G3, low cost 9″ Android tablet [Updated] -
ARNOVA 10 G2 Android 4.03 ICS custom firmware with root and Google Play Store to be published soon
-
Cube U30GT2 Android 4.1 custom root firmware (v 1.03)
Loading ...![Quechua first sold some samples of their 5″ outdoor phone to a few customers to gather feedback from amateur hikers testing the product. Few weeks later, the Quechua Phone 5′ […]](http://www.arctablet.com/blog/wp-content/uploads/2013/12/36x36xQuechua_Phone_5_box_and_phone_IMG_8454c-36x36.jpg.pagespeed.ic.FJuT4ODsVI.jpg "Rugged Quechua Phone 5″ outdoor smartphone now available at Decathlon stores for about €230 / £200"){kind=small}
![Announced for the end of October 2013, the ARCHOS GamePad 2 (model with 8 Gb storage) started to sell on ARCHOS online store in time. The portable game console has […]](http://www.arctablet.com/blog/wp-content/uploads/2013/12/36x36xARCHOS_GamePad_outstock_600x_nowrmk-36x36.png.pagespeed.ic.XBmBNaQGhb.jpg "ARCHOS GamePad 2 availability and other options"){kind=small}
![According to their manufacturer, Onda tablets based on quad-core Allwinner A31/A31s processors should receive an Android 4.4 (KitKat) update in the coming weeks. Among many features enhancements, latest Android 4.4 […]](http://www.arctablet.com/blog/wp-content/uploads/2013/12/36x36xOnda_Android_4_4_KitKat_Plan_400x302_nowrmk-36x36.jpg.pagespeed.ic.bKaSCmIN7R.jpg "Android 4.4 KitKat update for Onda quad-core tablets coming this month"){kind=small}
![Parrot company, the manufacturer of great Bluetooth phone hands-free kits, high-end audio products (speakers and headphones) and entertainment products such as AR Drone quadri-copter is coming with a new “eco-geek” […]](http://www.arctablet.com/blog/wp-content/uploads/2013/10/36x36xparrot_flower_power_thumbnail_nowrmk-36x36.jpg.pagespeed.ic.pHVs05Fpqz.jpg "Parrot Flower Power monitors your Garden 2.0, coming next month"){kind=small}
![ARCHOS supplier page for the HKTDC Hong Kong Electronics Fair Autumn Edition is showing some details about the GamePad 2. Let’s have a look… According to the page spec sheet, […]](http://www.arctablet.com/blog/wp-content/uploads/2013/09/36x36xARCHOS_GamePad2_3D_b_nowrmk-36x36.jpg.pagespeed.ic.r_kFL6CGrW.jpg "ARCHOS GamePad 2 specifications and details revealed"){kind=small}
![By looking at ARCHOS releases from IFA tradeshow held a few days ago in Berlin, it seems ARCHOS is now reproducing their tablet strategy on the smartphones, by flooding the […]](http://www.arctablet.com/blog/wp-content/uploads/2013/09/36x36xarchos_titanium_smartphones_2013_IFA_p1_nowrmk-36x36.png.pagespeed.ic.UkDQ7B-HTj.jpg "ARCHOS Smartphone range for 2013 as shown at IFA Berlin"){kind=small}
![ARCHOS keeps working on new models to complete their existing smartphones line. Latest production is jointly designed with Oxylane group, the company behind Decathlon, a major French sporting goods chain […]](http://www.arctablet.com/blog/wp-content/uploads/2013/09/36x36xARCHOS_Quechua_5_back_nowrmk-36x36.jpg.pagespeed.ic.06pYOGunMk.jpg "ARCHOS team up with Oxylane designing rugged Quechua Phone 5"){kind=small}
![It’s been a while since ARCHOS have surprised us with innovative products. In a press release published today, they announced plans to present a new line of high-end smartphones (octo-cores […]](http://www.arctablet.com/blog/wp-content/uploads/2013/08/36x36xsmartwatch_illustration_nowrmk-36x36.jpg.pagespeed.ic.d41YzOddWb.jpg "ARCHOS plans for CES 2014: connected objects, a smartwatch, octo-cores and 4G smartphones"){kind=small}
Crew RKTablets Blog feed
