Security researchers from mobile-protection firm Duo Security and the System Security Lab at Northeastern University have produced a program to patch a major flaw in Android phones. But there’s a significant catch: Only phones that have already been hacked can currently apply the fix.
The program, known as ReKey, allows users to protect their Android smartphone or tablet by modifying the two vulnerable functions to fix the flaw. Any malicious app that attempts to exploit the master-key issue will not only fail to compromise the phone, but will cause the ReKey program to warn the user.
Northeastern and Duo have been collaborating on the third-party patching technology for patching Android phones for about a year, according to Jon Oberheide, co-founder and chief technology officer of mobile-protection provider Duo Security. While the two teams could exploit the vulnerability to install their software and patch any phone, they are leery of doing so, he said.
“We are a little cautious about releasing a weaponized exploit for this particular vulnerability, because there hasn’t been any public proof of concepts, so we would not want to give attackers a working exploit,” Oberheide said.
Fixing flaws in the Android mobile operating system is a slow process because multiple companies have to take part in the process. The Android development community fixes the vulnerability, an update version of the software is distributed by Google, the device manufacturers have to update their firmware and then the carriers have to test the update to make sure it does not impact their cellular network.
In the end, most phones are rarely patched, and more than half of all phones still have major vulnerabilities left unpatched, according to Duo Security’s X-Ray vulnerability scanning software.
In March, one researcher publicized vulnerabilities in Samsung’s smartphones because the company, in the researcher’s estimation, did not patch the issue fast enough.
The master key vulnerability, discovered by researchers at startup Bluebox Security, allows an attacker to use a Trojan horse to infect other applications on the device—including OS components with system privileges—and escape detection by the software watchdog on Android that is supposed to prevent such changes. The issue affected 900 million devices at the time of its discovery, Bluebox estimated.
While Google has fixed the flaw, many phones have not yet received the patch. Given the lack of security updates for older devices, many users may never have a patched device.
“OEMs are most interested in the security of the devices right now; carriers don’t care about security, because they are not making any money,” Oberheide said. “But if OEMs can sell consumers on security—like Samsung’s Knox framework—then it can certainly help the problem.”
While Duo and Northeastern have only provided the ReKey app for jailbroken phones, it would be easy to modify it with an exploit of the vulnerability to patch the issue, the two organizations said in their description of the tool.
“If a weaponized exploit was observed being used publicly in the wild for nefarious purposes, that would ‘change our calculus’ or whatever the phrase is these days. Stay tuned,” they said in a statement.