Android "master key" flaw under active attack for first time

Share this article:
Symantec researchers discovered the exploits on the loose in Chinese third-party app stores.
Symantec researchers discovered the exploits on the loose in Chinese third-party app stores.

Attackers have begun exploiting a major Android vulnerability that allows them to take over a victim's phone without altering the digital signature of a targeted app.

According to researchers at Symantec, the miscreants exploited the “master key” flaw in several popular apps marketed to Chinese-speaking Android users.

This could enable them to remotely control victims' phones, send premium SMS messages and disable security software on the device. In addition, they could steal data stored on the phone, such as international mobile station equipment identity (IMEI) and phone numbers, a Tuesday blog post from Symantec's security response team said.

So far, researchers have detected six hijacked apps affecting Android users: a popular card game, an arcade game, a betting and lottery app, a news app and two apps that help users find and schedule doctor's appointments.

Satnam Narang, security response manager at Symantec, told SCMagazine.com on Wednesday that the infected apps were found in third-party online stores in China, but only time will tell whether the threat will make its way to the United States.

Earlier this month, news about the master key vulnerability spread rapidly because it affects 99 percent of Android devices. San Francisco-based Bluebox Security, which discovered the flaw, found that an estimated 900 million devices are impacted since the bug can be exploited in any Android phone released in the last four years.

Worse yet, Jeff Forristal, CTO at Bluebox, revealed that the exploit can be carried out without an app's cryptographic signature being modified. An alternation to the signature normally serves as a red flag that a legitimate app has been "trojanized" or tampered with in some way.

SCMagazine.com reached out to Google to inquire about what the company may be doing to prevent apps in its official Android app store from being impacted, but did not immediately hear back.

Forristal plans to reveal more details about the vulnerability at the Black Hat conference next week in Las Vegas. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.