A few months ago, Jeff Forristal from bluebox.com discovered a security issue in Android system and disclosed it to Google in February 2013 (filed as Android security bug 8219321) another similar problem has also been highlighted a few weeks ago (bug 9695860)
These security issues allow exploiting signed Android applications (APK) by modifying the program they contain while maintaining the existing application signature intact. Such modified applications will appear signed by the original author so the exploit can be used by someone with bad intentions who could modify an application in a malicious way including a potentially dangerous payload.
These vulnerabilities have been patched by Google in their Android Open Source Project (AOSP) code, but not all OEM manufacturers have yet deployed these fixes so far. Smaller manufacturers (which is the case for most Chinese tablets, including Archos / Arnova) haven’t yet fixed all their products. Some modified versions of Android code such as CyanogenMod (CM 10.1) have already the fixes in place. According to bluebox.com, Google Play Store should be protected to received applications modified to exploit this security problem. Still, it’s quite easy for to malware type applications hosted on less protected Market places or downloaded from upload sites could easily infect unprotected devices.
We recommend that you make sure your device is patched against the Master Key vulnerability. If that’s not the case, stay safe and download apps only from official market places or trusted sources.
Check your device using Bluebox Security Scanner
You can download and install the free Bluebox Security Scanner application on Google Play Store. Amazon.com and getjar.com to verify if your device is vulnerable to these security bugsThis application will check if your device has been safely patched against Google “Master Key” security bugs 8219321 and 9695860, it will also perform an integrity check by for searching for installed apps that may be affected by this vulnerability.
Verified products against Master key vulnerability (Android security bug 8219321 and 9695860)
We are posting a short list of tested vulnerability on a few devices. Feel free to check your device with Bluebox Security Scanner and report the results in the comments section below. Please specify your full device reference (manufacturer and model), firmware version/build date and vulnerability result for both 8219321 and 9695860 bugs.Archos and Arnova products
Date reported | Device (Manufacturer and model) | Device firmware version/date | 8219321 bug | 9695860 bug |
---|---|---|---|---|
2013/11/15 | ARCHOS GamePad 2 | Android 4.2.2 2013/09/25 | Vulnerable | Vulnerable |
2013/08/12 | ARCHOS TV Connect | Android 4.1.2 firmware 4.1.5 | Fixed | Vulnerable |
2013/08/07 | ARCHOS Gamepad | Android 4.1.1 JRO03H/20121220.155836 | Vulnerable | Vulnerable |
2013/08/07 | ARCHOS 50 Platinum | Android 4.1.2 20130604.164753 | Fixed | Vulnerable |
Other Android products
Date reported | Device (Manufacturer and model) | Device firmware version/date | 8219321 bug | 9695860 bug |
---|---|---|---|---|
2013/11/16 | Google Nexus 7 (2013) | Android 4.4 (KRT16O) | Fixed | Fixed |
2013/08/07 | Cube U55GT | Android 4.2.2 (2013/09/13) | Fixed | Fixed |
2013/09/04 reported by sipdude | Cube U30GT2 | Android 4.2.2 Firmware 2.04 final 2013-08-10 | Fixed | Vulnerable |
2013/08/07 | Sony Xperia Z (C6603) | Android 4.2.2 (10.3.1.A.0.244) | Fixed | Fixed |
2013/08/07 | Google Nexus 10 | Android 4.3 (JWR66V) | Fixed | Fixed |
2013/08/07 | Onda V972 | Android 4.2.2 20130726 | Vulnerable | Vulnerable |
Source:
Jeff Forristal blog article
Blackhat USA 2013 security conference : Forristal talk
Android Security Squad (安卓安全小分队) blog article and English translation
Thanks cajl / Jbmm.fr for his feedback.