Is your Archos / Arnova or Android device protected against the Master Key vulnerability ?

0

A few months ago, Jeff Forristal from bluebox.com discovered a security issue in Android system and disclosed it to Google in February 2013 (filed as Android security bug 8219321) another similar problem has also been highlighted a few weeks ago (bug 9695860)
These security issues allow exploiting signed Android applications (APK) by modifying the program they contain while maintaining the existing application signature intact. Such modified applications will appear signed by the original author so the exploit can be used by someone with bad intentions who could modify an application in a malicious way including a potentially dangerous payload.

Bluebox_security_scanner_xperia_z_vs_archos_50_platinum_DSC_0017b

On the left, partly vulnerable device (ARCHOS 50 Platinum) and patched device (Sony Xperia Z) on the right.

These vulnerabilities have been patched by Google in their Android Open Source Project (AOSP) code, but not all OEM manufacturers have yet deployed these fixes so far. Smaller manufacturers (which is the case for most Chinese tablets, including Archos / Arnova) haven’t yet fixed all their products. Some modified versions of Android code such as CyanogenMod (CM 10.1) have already the fixes in place. According to bluebox.com, Google Play Store should be protected to received applications modified to exploit this security problem. Still, it’s quite easy for to malware type applications hosted on less protected Market places or downloaded from upload sites could easily infect unprotected devices.

We recommend that you make sure your device is patched against the Master Key vulnerability. If that’s not the case, stay safe and download apps only from official market places or trusted sources.

Check your device using Bluebox Security Scanner

You can download and install the free Bluebox Security Scanner application on Google Play Store. Amazon.com and getjar.com to verify if your device is vulnerable to these security bugs

This application will check if your device has been safely patched against Google “Master Key” security bugs 8219321 and 9695860, it will also perform an integrity check by for searching for installed apps that may be affected by this vulnerability.



Verified products against Master key vulnerability (Android security bug 8219321 and 9695860)

We are posting a short list of tested vulnerability on a few devices. Feel free to check your device with Bluebox Security Scanner and report the results in the comments section below. Please specify your full device reference (manufacturer and model), firmware version/build date and vulnerability result for both 8219321 and 9695860 bugs.

Archos and Arnova products

Date reportedDevice (Manufacturer and model)Device firmware version/date8219321 bug9695860 bug
2013/11/15ARCHOS GamePad 2Android 4.2.2
2013/09/25
VulnerableVulnerable
2013/08/12ARCHOS TV ConnectAndroid 4.1.2
firmware 4.1.5
FixedVulnerable
2013/08/07ARCHOS GamepadAndroid 4.1.1
JRO03H/20121220.155836
VulnerableVulnerable
2013/08/07ARCHOS 50 PlatinumAndroid 4.1.2
20130604.164753
FixedVulnerable

Other Android products

Date reportedDevice (Manufacturer and model)Device firmware version/date8219321 bug9695860 bug
2013/11/16Google Nexus 7 (2013)Android 4.4
(KRT16O)
FixedFixed
2013/08/07Cube U55GTAndroid 4.2.2
(2013/09/13)
FixedFixed
2013/09/04
reported by sipdude
Cube U30GT2Android 4.2.2
Firmware 2.04 final
2013-08-10
FixedVulnerable
2013/08/07Sony Xperia Z (C6603)Android 4.2.2
(10.3.1.A.0.244)
FixedFixed
2013/08/07Google Nexus 10Android 4.3 (JWR66V)FixedFixed
2013/08/07Onda V972Android 4.2.2
20130726
VulnerableVulnerable



Source:
Jeff Forristal blog article
Blackhat USA 2013 security conference : Forristal talk
Android Security Squad (安卓安全小分队) blog article and English translation

Thanks cajl / Jbmm.fr for his feedback.