Android Apps With Malicious ‘Master Key’ Infection Appear Online
Apps with infected code appear in the wild on Chinese app stores
Cyber crooks are actively taking advantage of a serious flaw affecting most Android users, which allows attackers to add malicious code to a legitimate app without altering its cryptographic signature, a security company warned today.
While it has been said the exploit code had been released online, no truly malicious apps had been found taking advantage of the “master key” vulnerability until now.
Android master key
Details of the flaw are due to be expanded upon by startup BlueBox at the Black Hat Conference at the end of this month, but one clear way to exploit the flaw is to somehow tamper with an app by adding an extra file into an Android application package (APK).
To do this, attackers add two files of the same name to an APK subdirectory called Meta-inf, which contains signed checksums for all the other files in the package. Android only validates the most recently-added file where two files have the same name. Yet it installs the second one, as Sophos explained in a blog post, and that’s how hackers can sneak in infected files (a similar exploit was uncovered in China recently).
This is the method apparently used by the hackers in their attempts to steal user data.
The so-called “Skullkey” apps, two of which were uncovered by Symantec, look like legitimate applications distributed on Android marketplaces in China to help users make doctor appointments.
“An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI [International Mobile Station Equipment Identity] and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,” Symantec said in its blog. “We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has. We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices.”
A program from Duo Security and the System Security Lab at Northeastern University, Oaklahoma, USA, claims to patch the master key flaw.
Users have been advised to download apps from reputable online stores only.
This article appeared on TechWeekEurope. Click here for the full story.