Sydney, Australia – July 23, 2013 – A week ago, Bitdefender announced an update to the Bitdefender Mobile Security and Bitdefender Antivirus Free to mitigate the MasterKey vulnerability.
Since then Bitdefender has started receiving reports about applications that manifest the MasterKey exploit behaviour – overwriting identically-named files inside the archive as they were cleared off digital signature inspection.
A closer look into a couple of these applications hosted on Google Play and it’s revealed a potentially harmful common trait: they all had the air. prefix, a marker for applications written in Adobe Air.
Bitdefender have looked into their collection of Android applications and based on their telemetry, they have discovered that nearly 1.25 percent of the applications written in Adobe Air manifest the MasterKey behaviour and are blocked on patched Android distributions.
How the exploit works?
The MasterKey exploit works by including two duplicate files inside the same Android Package File (APK). When the Android device starts the application installation process, the operating system unpacks the APK file and extracts the files inside. However, since there are two identically-named files with the same path, the latter would overwrite the former, thus triggering the suspicious behaviour. The introduction of a duplicate file is not voluntary (as it would be in the case of a malicious attack), but rather the side effect of a bug in the development toolkit used by Android application developers – Adobe Air 3.7.0.153. The issue has been known and published on the Adobe bugtracker since April this year.
Who is impacted?
Although the icon substitution does not adversely impact device security, these applications will be denied the right to install on customers’ devices if they are running a patched Android version (Cyanogen Mod or the upcoming Android 4.3, among others).
I’m a developer, how do I fix this?
If you’re building Android applications using this specific version of Air, you should update to a newer version and rebuild your applications. If, for any reason, you are unable to update the development platform, you should simply remove any of the duplicate files by opening the APK file with any utility that can modify ZIP files and navigate to the \res\drawable-xhdpi\ folder and delete one of the icon.png files inside.
