Apps have been found in Chinese Android marketplaces that are exploiting Android's master key vulnerability, Symantec researchers say.
The vulnerability allows cyber criminals to modify existing apps by inserting a malicious file with the identical name as an existing one in the application package.
When Android opens the package file, the first file's digital signature is validated, but not the second, as it believes it has already validated that file. Essentially, this allows criminals to remotely control devices, send SMSes to premium numbers, and steal sensitive information.
At the time, Google declined to comment on the matter, but quickly acted to block distribution of apps seeking to exploit the vulnerability in the Google Play market.
Unfortunately, Android touts itself as being open and allows users to install software from other stores. This openness has become a liability, as the first apps aimed at exploiting the weakness have been identified.
Symantec's official blog said the company expected the vulnerability to be leveraged quickly due to ease of exploitation, and it was right.
Norton Mobile Insight, its system for harvesting and automatically analysing Android applications from marketplaces, found the first examples of the exploit being used 'in the wild'. Symantec detects these apps as Android.Skullkey.
For an exploit to be 'in the wild', it must be spreading uncontained among infected computers of unsuspecting users as a result of normal day-to-day operations.
On 23 July, Symantec said it found two applications infected by a malicious actor, both of which are legitimate apps distributed on Android marketplaces in China that help users make doctors' appointments.
The following day, the company found an additional four Android apps infected by the same attacker and being distributed on third-party app sites - a popular news app, an arcade game, a card game, and a betting and lottery app - all designed for Chinese-speaking users.
A malware author has added code to these apps by exploiting the vulnerability. The cyber crook was able to alter the original Android application by adding an additional classes.dex file, which contains the Android application code, and Android manifest file, which specifies permissions.
Injecting malicious code into legitimate apps is not new - malware authors have been doing it for some time. The difference here is that, in the past, they needed to change both the application and publisher name and also sign any app they had tampered with, with their own digital signatures, making dodgy apps easy to spot.
The new flaw doesn't need the attackers to alter these digital signature details, so they can freely hijack legitimate apps, and no one would be the wiser.
Google has issued an official patch for the vulnerability, says bgr.com, but as it is distributed through the device manufacturers, there is no saying when it will be available for download.
As cyber criminals have a tendency to strike while the iron is hot, Symantec expects them to continue to leverage this vulnerability. The company recommends users only download applications from reputable Android application marketplaces.
Share