Will Verduzco · Jul 18, 2013 at 08:00 pm

Xposed Patch for Master Key and Bug 9695860 Vulnerabilities

By now, you’ve undoubtedly heard of the Android Master Key vulnerability, which allows a malicious payload to be inserted in an application that is installed, due to a discrepancy between signature verification and app installation. The vulnerability has been known for some time, having been responsibly disclosed by Bluebox back in February, and patched a couple of weeks ago.

Another vulnerability, also known officially as Bug 9695860, works in a similar fashion and results in the installation of an unwanted malicious payload from a seemingly innocuous file. It, just like its predecessor, has also been patched a little over two weeks ago by Google.

Unfortunately, while these vulnerabilities have since been patched by Google and incorporated into a handful of OEM firmware updates, not every manufacturer has been so expedient. And given the usual delays ranging from laziness and lack of profitability to technical complexity, there’s really no telling as to when they will make their way into the majority of end-user devices. The aftermarket community’s quite a bit better, though. Case in point, CyanogenMod 10.1 has had the fix merged ever since July 7th.

However, while quite a good number of people run CM10.1 and derivative kanged ROMs, obviously not everyone is running CM10.1 on his or her device. After all, a good number of people enjoy running modified stock ROMs in order to preserve the original look and feel or OEM-specific features. And there are other source-built ROMs that just haven’t been updated to include the upstream fixes.

So what are stock firmware + root users to do in order to be safe? Well first off, said users should refrain from installing APKs that don’t come from trusted sources such as Google Play. However, we realize that this isn’t a true solution. To deliver that, XDA Recognized Contributor Tungstwenty came up with an Xposed module that patches both vulnerabilities in one go.

Previously, we’ve seen Recognized Developer rovo89‘s Xposed Framework used for quite a few modifications ranging from alleviating issues in recent Android revisions to managing permissions to loading the borderline malware (I kid, I kid) Facebook Home. However, we’ve not yet seen the framework used to deliver a fix for a vulnerability in such a manner. (Those wishing for a primer on the fantastic Xposed Framework should visit our write-up from a few months back.)

As expected from any Xposed-based modification, installation of Tungstwenty’s Xposed Module is incredibly simple. In his words:

1. Make sure the Xposed Framework is installed.
Follow the instructions on the thread. Root is required only during installation, it is no longer required afterwards. Only ICS or above is supported.

2. Install the Master Key dual fix module.

3. Follow the Xposed notification about a new module being available, and on the list of modules activate Master Key dual fix

4. Reboot the device (a Soft reboot is sufficient)

You should now see an image similar to the attached one. The green text shows that the module is active and the 2 vulnerabilities have been patched.

Those who would like to learn more about the vulnerability should visit this thread by Recognized Developer Adam77Root, which explains it in a little bit greater detail. It also outlines which ROMs would and would not be affected. Until you’re patched by either installing this Xposed patch or updating to the latest CM10.1 nightly, we advise that you only install APKs from trusted sources such as the Google Play store.

Head over to Tungstwenty’s modification thread to get your fix… literally.


_________
Want something on the XDA Portal? Send us a tip!

Will Verduzco

willverduzco is an editor on XDA-Developers, the largest community for Android users. View posts and articles below.

Will Verduzco is the Portal Administrator for the XDA-Developers Portal. He has been addicted to mobile technology since the HTC Wizard. But starting with the Nexus One, his gadget love affair shifted to Google's little green robot. He is also a Johns Hopkins University graduate in neuroscience and is now currently studying to become a physician.
Emil Kako · Mar 6, 2015 at 12:00 pm · no comments

Best Bang-for-the-Buck Phone You Can Get Today?

There are many great Android handsets on the market today that are much cheaper than the flagships from the major players like Samsung and HTC. The OnePlus One and Nexus 5 are two great examples of high-end phones being offered at prices much cheaper than competitors. But there are phones in the mid-range that may offer even more bang for your buck. Let us know which smartphone deal you think has the best value.

DISCUSS
Mathew Brack · Mar 6, 2015 at 11:27 am · 1 comment

TapDeck Beta: Smart Wallpaper Discovery

TapDeck which has just entered beta, is a smart wallpaper app that allows you to change to a random wallpaper by simply double tapping your screen. After selecting images you like from a selection, your wallpapers will be chosen based on similar images from Flickr, Imgur, Reddit and Wikipedia. If you see one you like, simply swipe up and you will see information relevant to the image. After spending a day with this app it is clear that it is still...

XDA NEWS
GermainZ · Mar 6, 2015 at 10:34 am · 1 comment

Open, Accessible Material Design Icons

Need some material design icons for your latest app or website? Or perhaps you're a designer looking to share some of your work? Material Design Icons probably has what you're looking for. For developers, it means open, searchable icons that are available in all the formats you could wish for. Developing for Android? You can download any icon in two formats: Android 5.x (gives you a vector drawable along with PNGs in black, gray and the color of your choosing),...

XDA NEWS
Share This