Will Verduzco · Jul 18, 2013 at 08:00 pm

Xposed Patch for Master Key and Bug 9695860 Vulnerabilities

By now, you’ve undoubtedly heard of the Android Master Key vulnerability, which allows a malicious payload to be inserted in an application that is installed, due to a discrepancy between signature verification and app installation. The vulnerability has been known for some time, having been responsibly disclosed by Bluebox back in February, and patched a couple of weeks ago.

Another vulnerability, also known officially as Bug 9695860, works in a similar fashion and results in the installation of an unwanted malicious payload from a seemingly innocuous file. It, just like its predecessor, has also been patched a little over two weeks ago by Google.

Unfortunately, while these vulnerabilities have since been patched by Google and incorporated into a handful of OEM firmware updates, not every manufacturer has been so expedient. And given the usual delays ranging from laziness and lack of profitability to technical complexity, there’s really no telling as to when they will make their way into the majority of end-user devices. The aftermarket community’s quite a bit better, though. Case in point, CyanogenMod 10.1 has had the fix merged ever since July 7th.

However, while quite a good number of people run CM10.1 and derivative kanged ROMs, obviously not everyone is running CM10.1 on his or her device. After all, a good number of people enjoy running modified stock ROMs in order to preserve the original look and feel or OEM-specific features. And there are other source-built ROMs that just haven’t been updated to include the upstream fixes.

So what are stock firmware + root users to do in order to be safe? Well first off, said users should refrain from installing APKs that don’t come from trusted sources such as Google Play. However, we realize that this isn’t a true solution. To deliver that, XDA Recognized Contributor Tungstwenty came up with an Xposed module that patches both vulnerabilities in one go.

Previously, we’ve seen Recognized Developer rovo89‘s Xposed Framework used for quite a few modifications ranging from alleviating issues in recent Android revisions to managing permissions to loading the borderline malware (I kid, I kid) Facebook Home. However, we’ve not yet seen the framework used to deliver a fix for a vulnerability in such a manner. (Those wishing for a primer on the fantastic Xposed Framework should visit our write-up from a few months back.)

As expected from any Xposed-based modification, installation of Tungstwenty’s Xposed Module is incredibly simple. In his words:

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key dual fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key dual fix

4. Reboot the device (a Soft reboot is sufficient)

You should now see an image similar to the attached one. The green text shows that the module is active and the 2 vulnerabilities have been patched.

Those who would like to learn more about the vulnerability should visit this thread by Recognized Developer Adam77Root, which explains it in a little bit greater detail. It also outlines which ROMs would and would not be affected. Until you’re patched by either installing this Xposed patch or updating to the latest CM10.1 nightly, we advise that you only install APKs from trusted sources such as the Google Play store.

Head over to Tungstwenty’s modification thread to get your fix… literally.


_________
Want something on the XDA Portal? Send us a tip!

Will Verduzco

willverduzco is an editor on XDA-Developers, the largest community for Android users. Will Verduzco is the Portal Administrator for the XDA-Developers Portal. He has been addicted to mobile technology since the HTC Wizard. But starting with the Nexus One, his gadget love affair shifted to Google's little green robot. He is also a Johns Hopkins University graduate in neuroscience and is now currently studying to become a physician. View willverduzco's posts and articles here.
Mario Tomás Serrafero · Aug 4, 2015 at 02:17 pm · no comments

Sony’s Emergence in The Middle: Is The Price Right?

Sony’s Electronics Division is not in its best days, and its smartphone products are seemingly an important cause of this. The Japanese giant’s Xperia line has been on the decline in terms of sales, and these past few months have been particularly damaging to the company due to the Xperia Z4’s market performance. Sony’s Q1 results were also not favorable, as its mobile division lost $184 million and sales slumped 16% year-on-year.   Not too long ago we featured a...

XDA NEWS
Eric Hulse · Aug 4, 2015 at 03:42 am · 1 comment

HTC Delivering Ads Straight to Sense Home

HTC's 2015 has been a year marked by a desperate search for revenue. The HTC One M9 launched with its own launcher complete with a Smart Folder in the Sense Home Widget. This automatic pseudo-folder would populate with "suggestions" that were nothing more than thinly-veiled ads.   Just over a month ago, HTC began placing advertisements (that can thankfully be disabled) in Blinkfeed. These Blinkfeed ads appeared after Yelp advertisements began appearing on HTC's Lock screen. Users, expectedly, voiced dissatisfaction all...

XDA NEWS
Brian Young · Aug 2, 2015 at 09:05 pm · 2 comments

Galaxy S6 & Edge get €100 Price Cut—New Models Incoming

Samsung has dropped the price of both the Galaxy S6 and S6 Edge by €100, making the current retail price of these phones €599 and €699, respectively. Though no new prices have been announced stateside, a cut is expected soon. (more…)

XDA NEWS