Someone finally developed a security solution for the android master key vulnerability unearthed by Bluebox Security earlier in the month.
With a vulnerability that puts over 99% of android devices on the hackers’ radar, it has seemed like such a long wait. As predicted by critics and supporters alike, android OEMs were not on the frontlines to provide a fix for this vulnerability, despite getting a patch from Google early on.
The Bluebox master vulnerability creates an opportunity for malicious apps to disguise as legitimate apps. The problem has its root in the fact that a malicious app can pack files with a similar filename to a legitimate one inside the app installer bundles. Thus, malicious installs can easily access your phone by flashing the same digital signatures as valid applications.
New Tool to Squash Master Key Vulnerability
The new solution to the android security loophole, ReKey, works by attaching into the underlying android operating system environment to offer a defensive front for your phone. Developed by Mobile Security company Duo Security in collaboration with Northeastern University’s System Security Lab, this tool is designed to eliminate the vulnerability without having to wait for patches from mobile carriers – who could take weeks to deliver, if not months.
ReKey also curbs a similar android vulnerability that was discovered in recent days by a Chinese android security team. The Chinese vulnerability allows attackers to stealthily smuggle untrusted code into app installer files by making use of classes .dex APK files that are smaller than 64K.
According to DUO Security’s CTO, Jon Oberheide, ReKey went a step further and provided android users with notifications of attempted attacks featuring malicious APKs as well as blocking the bluebox master key vulnerability and similar security loopholes.
“This app is powered by a Dalvik bytecode instrumentation framework,’ said Oberheide, “To fix the master key hole, we hook the vulnerable routines in android’s package manager in order to block the attack vector.”
The tool is available for download from rekey official website and the android play store.
Via Duo Security