Android "master key" flaw under active attack for first time

Share this article:
Symantec researchers discovered the exploits on the loose in Chinese third-party app stores.
Symantec researchers discovered the exploits on the loose in Chinese third-party app stores.

Attackers have begun exploiting a major Android vulnerability that allows them to take over a victim's phone without altering the digital signature of a targeted app.

According to researchers at Symantec, the miscreants exploited the “master key” flaw in several popular apps marketed to Chinese-speaking Android users.

This could enable them to remotely control victims' phones, send premium SMS messages and disable security software on the device. In addition, they could steal data stored on the phone, such as international mobile station equipment identity (IMEI) and phone numbers, a Tuesday blog post from Symantec's security response team said.

So far, researchers have detected six hijacked apps affecting Android users: a popular card game, an arcade game, a betting and lottery app, a news app and two apps that help users find and schedule doctor's appointments.

Satnam Narang, security response manager at Symantec, told SCMagazine.com on Wednesday that the infected apps were found in third-party online stores in China, but only time will tell whether the threat will make its way to the United States.

Earlier this month, news about the master key vulnerability spread rapidly because it affects 99 percent of Android devices. San Francisco-based Bluebox Security, which discovered the flaw, found that an estimated 900 million devices are impacted since the bug can be exploited in any Android phone released in the last four years.

Worse yet, Jeff Forristal, CTO at Bluebox, revealed that the exploit can be carried out without an app's cryptographic signature being modified. An alternation to the signature normally serves as a red flag that a legitimate app has been "trojanized" or tampered with in some way.

SCMagazine.com reached out to Google to inquire about what the company may be doing to prevent apps in its official Android app store from being impacted, but did not immediately hear back.

Forristal plans to reveal more details about the vulnerability at the Black Hat conference next week in Las Vegas. 

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.