Android Master Key exploited

illadope · Jul 3, 2013

I won't link nothing since y'all don't trust me but anyone that knows how to exploit stuff can do some serious damage. 99 percent of all devices can get got.

make $$$ brehs with 0-day's. Anyone mess with exploits?

satam55 · Jul 3, 2013

illadope said:
I won't link nothing since y'all don't trust me but anyone that knows how to exploit stuff can do some serious damage. 99 percent of all devices can get got.

make $$$ brehs with 0-day's. Anyone mess with exploits?

Android is open source software. Does it really matter?

illadope · Jul 5, 2013

satam55 said:

Android is open source software. Does it really matter?

Click to expand...

Just because something is open source doesn't mean it's not vulnerable to exploits. 900 million devices are affected with this. If someone wanted to have a field day they easily could.

Bathing Ape · Jul 5, 2013

Oh ok

Crakface · Jul 5, 2013

Uncovering Android Master Key That Makes 99% of Devices Vulnerable » Bluebox Security

This will be slaughtered with an update bright and early. I believe tmobile pushed out an update recently.

Data-Hawk · Jul 5, 2013

diggy · Jul 5, 2013

I read Master P Exlpoded, need more sleep

PS5 Pro · Jul 5, 2013

Bathing Ape said:
Im slow.. explain.

Well PSN lost its master Key so people on PS3 can mod games and play them online without fear of being stopped by sony because any update they send to stop it doesn't reach "the bottom level"

The "bottom level" is the "master key level"

So for how that applies to Android? I'm guessing at the very least you could do the same via mobile gaming. But I expect much more things like maybe... free internet? Tethering for free? I really don't know for sure...

The implications are huge! This vulnerability, around at least since the release of Android 1.6 (codename: Donut ), could affect any Android phone released in the last 4 years1 or nearly 900 million devices2 and depending on the type of application, a hacker can exploit the vulnerability for anything from data theft to creation of a mobile botnet.

While the risk to the individual and the enterprise is great (a malicious app can access individual data, or gain entry into an enterprise), this risk is compounded when you consider applications developed by the device manufacturers (e.g. HTC, Samsung, Motorola, LG) or third-parties that work in cooperation with the device manufacturer (e.g. Cisco with AnyConnect VPN) that are granted special elevated privileges within Android specifically System UID access.

Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications (and their data) currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these zombie mobile devices to create a botnet.

Long story short, and this goes double/triple/1million for people who have jailbroken.

And nikkaz is worried about Kinect :bryan:

The Prince of All Saiyans · Jul 5, 2013

great thread and very well written

PS5 Pro · Jul 5, 2013

How is this thread not stickied :wtf:

Kemyran · Jul 5, 2013

Crakface said:
Uncovering Android Master Key That Makes 99% of Devices Vulnerable » Bluebox Security

Large Professor - Have fun - YouTube

This will be slaughtered with an update bright and early. I believe tmobile pushed out an update recently.

S4 is already patched. I read elsewhere that this only affects applications installed outside of the Google Play store? The vast majority of people don't sideload apps anyway and the rest that do know the risks.

Sucks, but these exploits will always be a cat and mouse game until the end of time. *shrug*

PS5 Pro · Jul 5, 2013

Kemyran said:
S4 is already patched. I read elsewhere that this only affects applications installed outside of the Google Play store? The vast majority of people don't sideload apps anyway and the rest that do know the risks.

Sucks, but these exploits will always be a cat and mouse game until the end of time. *shrug*

You not really saying anything here. Just saying "They know the risk" is not adequate. Nobody on this site was telling ppl "Yo, if you jailbreak nikkaz might steal your credit card info"

What happens is ppl on here acting like they bulletproof and they "convince" other posters to try shyt out. If this was normal, it wouldn't be a story.
If somebody hacks the regular store... wait a minute. You didn't even read the article

Androids security model that allows a hacker to modify APK code without breaking an applications cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user

The only risk ppl took was riding with Andriod :wow:

illadope · Jul 5, 2013

PS4 said:

How is this thread not stickied

Click to expand...

Because no one cares what I have to say about unless it revolves around iPhones.

Kemyran · Jul 5, 2013

PS4 said:
You not really saying anything here. Just saying "They know the risk" is not adequate. Nobody on this site was telling ppl "Yo, if you jailbreak nikkaz might steal your credit card info"

What happens is ppl on here acting like they bulletproof and they "convince" other posters to try shyt out. If this was normal, it wouldn't be a story.
If somebody hacks the regular store... wait a minute. You didn't even read the article

The only risk ppl took was riding with Andriod

I'm not really saying anything? Who said I had to, I don't work for Google and I'm not their PR. I just cited what I have read on the issue.

I read your article and cited other articles I read that contradicts what you posted regarding the Play Store:

Android ‘Master Key’ Security Hole Puts 99% Of Devices At Risk Of Exploitation | TechCrunch
https://www.cio.com.au/article/4665...droid_apps_without_breaking_their_signatures/

Using Google Play to distribute apps that have been modified to exploit this flaw is not possible because Google updated the app store's application entry process in order to block apps that contain this problem, Forristal said. The information received by Bluebox from Google also suggests that no existing apps from the app store have this problem, he said.

I'm not concerned with what nikkas on the internet tell me is risky or not. I and most other people realize that if I'm in as deep as modifying the software on my phone, you potentially open yourself up to certain vulnerabilities.

HookersandIceCream · Jul 5, 2013

Android Users
:umad:

Android Master Key exploited

More options

illadope

きんが

satam55

Veteran

illadope

きんが

Bathing Ape

BAPE

Crakface

...

Data-Hawk

I have no strings on me.

diggy

Florida Man

PS5 Pro

DC looking a 1/2 seed right about nuh

The Prince of All Saiyans

Formerly Jisoo Stan & @Twitter

PS5 Pro

DC looking a 1/2 seed right about nuh

Kemyran

Pro

PS5 Pro

DC looking a 1/2 seed right about nuh

illadope

きんが

Kemyran

Pro

HookersandIceCream

#TeamOrange