Symantec has discovered the first legitimate applications that exploit the vulnerability, identified in the system of verification of digital signatures known as “Master Key” bug on Android. The apps were distributed through an unofficial Chinese app store.
The security firm has found two health apps, used to find and make appointments with a doctor; both apps are infected and contain the Trojan Android.Skullkey that could allow attackers to remotely perform several operations, to take complete control of the device.
“An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI [International Mobile Station Equipment Identity] and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,” explained Symantec.
A few days after the discovery of the bug, Google had also released a patch for its mobile operating system, but the distribution of the update is gradual that increases the possibilities of infection.
The vulnerability was identified by Bluebox Security called Master Key that allows editing the APK files and injecting malicious code into legitimate app, without altering the digital signature. To check if your device is at risk, you can install and scan with Bluebox Security Scanner.
The vulnerability has been present since 2009 when Android 1.6 Donut released, and now 99% of the devices are potentially at risk. Hence sooner or later we expect similar exploits to come into existence. So that it is recommended to avoid third party stores, and rely solely on Google Play store as the Google integrates a scanner that detects and prevents downloading malware infected applications.
For a quick note, the vulnerability ‘Master Key’ has already been resolved in the recently released Android 4.3 Jelly Bean, so that all new devices coming with Android 4.3 will be safe.