Android "master key" flaw under active attack for first time
Symantec researchers discovered the exploits on the loose in Chinese third-party app stores.
Attackers have begun exploiting a major Android vulnerability that allows them to take over a victim's phone without altering the digital signature of a targeted app.
According to researchers at Symantec, the miscreants exploited the “master key” flaw in several popular apps marketed to Chinese-speaking Android users.
This could enable them to remotely control victims' phones, send premium SMS messages and disable security software on the device. In addition, they could steal data stored on the phone, such as international mobile station equipment identity (IMEI) and phone numbers, a Tuesday blog post from Symantec's security response team said.
So far, researchers have detected six hijacked apps affecting Android users: a popular card game, an arcade game, a betting and lottery app, a news app and two apps that help users find and schedule doctor's appointments.
Satnam Narang, security response manager at Symantec, told SCMagazine.com on Wednesday that the infected apps were found in third-party online stores in China, but only time will tell whether the threat will make its way to the United States.
Earlier this month, news about the master key vulnerability spread rapidly because it affects 99 percent of Android devices. San Francisco-based Bluebox Security, which discovered the flaw, found that an estimated 900 million devices are impacted since the bug can be exploited in any Android phone released in the last four years.
Worse yet, Jeff Forristal, CTO at Bluebox, revealed that the exploit can be carried out without an app's cryptographic signature being modified. An alternation to the signature normally serves as a red flag that a legitimate app has been "trojanized" or tampered with in some way.
SCMagazine.com reached out to Google to inquire about what the company may be doing to prevent apps in its official Android app store from being impacted, but did not immediately hear back.
Forristal plans to reveal more details about the vulnerability at the Black Hat conference next week in Las Vegas.