Hackers use Android Master Key Exploit in China
#1 24-07-2013, 13:06:06 PM

"The bug - which was first publicised earlier this month - allows attackers to install code on to phones running Google's mobile operating system and then take control of them."

No word yet if SKRAG was involved

#2 24-07-2013, 13:28:31 PM
This must be what has infected my Android device.

#3 24-07-2013, 15:13:31 PM
  • Guest
This is an old bug that everyone on XDA has known about it for years. Google probably has too.
While I think it is an epic fail that Google has left Android's signature verification broken for so many years, I think Obama and the media are greatly exaggerating the severity of this issue.
Here's why:

1.) Google Play Store already rejects apps that have been modified using this exploit, and has for some time.
2.) If you're getting an app from an unofficial source you probably won't bother verifying the signature.
They could just as easily sign it with the debug keys and probably infect just as many dumb people!!
3.) Skrag first discovered this exploit in his basement 4 years ago and nothing bad has happened

I know that they're worried about someone using this exploit to release malicious updates for system apps and take advantage of their special permissions, but I don't think this will happen.
There are so many different Android devices and (I believe) they're all signed with the manufacturer's key, NOT THE SAME ONE. One would have to release a malicious update for each Android device they want to infect!!


Note: I don't actually know what I'm talking about and there's probably a lot of incorrect information in this post.
Please wait for Skrag to comment on this issue.

#4 24-07-2013, 15:18:48 PM
But Steev the article says a Chinese health and wellness app on the playstore had the bug in it!

#5 24-07-2013, 15:19:16 PM

@EJ what does that say

#6 24-07-2013, 15:28:26 PM
- Last Edit: 24-07-2013, 15:33:25 PM
  • Guest
I only skimmed through the article but in the source it says
We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments.

Not necessarily meaning Google Play. I think it was an unofficial app store, because Google Play is blocked in China

#7 24-07-2013, 15:30:02 PM
I didn't know that! You have to use a third party app store in China, that is crazy! I bet someone could steal your credit card #

#8 24-07-2013, 15:33:18 PM
I believe accepting apps from sources other than the Google Play store gave my Nexus 7 a virus!

#9 24-07-2013, 15:46:07 PM
The only safe third party app store is the next gen game store that Steev made

#10 24-07-2013, 15:48:43 PM
  • Guest
The only safe third party app store is the next gen game store that Steev made

That store hosts Thunder's apps, so I'm not so sure about that :bidoof:

0 Members and 1 Guest are viewing this topic.