Two Android Apps Found Using Master Key Vulnerability
July 24, 2013

Two Android Apps Found Using Master Key Vulnerability

Michael Harper for - Your Universe Online

Security firm Symantec has discovered two Android apps that have been commandeered by a bug found in Google's operating system earlier this month. The bug allows hackers to modify the package file of an app without affecting its original digital signature. This signature verifies the app's legitimacy and safety. Symantec now says there are two apps in the wild in a Chinese app store that have been compromised by this Master Key vulnerability.

Those responsible for injecting malicious code into the otherwise legitimate app's signature are now using the Master Key to steal the phone's International Mobile Station Equipment Identity (IMEI), phone numbers stored on the device, and even send premium SMS messages. The hackers also use the vulnerability to disable other security features that may be found on the phone. In a blog post, Symantec says these two apps are used to help people find doctors and schedule health appointments.

Security research team BlueBox discovered the bug in Google's Android operating system earlier this month. According to BlueBox CTO Jeff Forristal, the vulnerability has been present in Android for about four years and affects 99 percent of all devices running Google's mobile OS, or about 900 million devices worldwide.

Forristal said the bug had been "responsibly disclosed" to Google last February and plans to discuss the bug in greater detail next week at the BlackHat security conference in Las Vegas, Nevada.

Shortly after the BlueBox report was released, Google began issuing patches for devices that run versions of Android 1.6 and higher. Though they were quick with their response, mobile operators are responsible for ensuring customers receive these patches that protect their devices. Sophisticated Android users are able to download and install their own patch after it is made available by other security software providers.

Android is often accused of being a fragmented operating system, meaning the many different phone manufacturers and mobile carriers have to work together to send out updates to the OS. It's because of this fragmentation, whether perceived or real, that Symantec believes the Master Key vulnerability will continue to threaten the safety of some 900 million Android users.

"We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices," reads the Symantec blog.

The security firm recommends downloading apps only from reputable app stores. Google also suggests sticking to the Google Play app store to download apps. They also recommend not side loading apps from other websites.

Android's popularity and fragmentation are often blamed for the numerous attacks on the operating system. In an April report, Symantec said Android and small businesses were most targeted by hackers in 2012. Though Apple's iOS was found to have the most documented vulnerabilities last year, only one threat was created for the platform. Android, however, saw significantly more harmful apps written to exploit the user.

Fifty percent of all malicious Android apps discovered by Symantec in 2012 were used to track Android users and steal their personal information.