Cyber criminals have successfully exploited a recently discovered vulnerability to infect legit apps without invalidating their digital signatures.
Cyber criminals are successfully using a recently found Master Key vulnerability to inject malicious code into legitimate Android apps without invalidating their digital signatures. The code enables the attacker to remotely take control of infected devices, steal sensitive data, send texts, and disable select security applications using root commands.
The news, which comes from Symantec, certainly won’t help Android’s reputation for being insecure: Earlier this year, McAfee reported that Android was the mobile platform target of choice among cyber criminals. More recently, Kindsight Security Labs reported an increasing number of Android devices are infected with malware capable of transforming them into spy tools.
In this latest spate of Android infections, bad guys are exploiting the Master Key vulnerability to hide code inside apps, letting them use existing permissions to manipulate infected devices. An attacker can “remotely control devices, steal sensitive data like IMEI (International Mobile Equipment Identity) and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands,” according to the company.
The perpetrator is using a recently discovered Master Key vulnerability in Android, which lets a would-be attacker inject malicious code into legitimate Android apps without invalidating their digital signatures. “Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file that contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions),” according to Symantec.
This approach represents an evolution in malicious-code injection: Previously, attackers had to change “both the application and publisher name and also sign any Trojanized app with their own digital signature. Someone who examined the app details could instantly realize the application was not created by the legitimate publisher,” Symantec reported earlier this month. “Now that attackers no longer need to change these digital signature details, they can freely hijack legitimate applications, and even an astute person could not tell the application had been repackaged with malicious code.”
Notably, the six infected apps spotted by Symantec are all geared toward Chinese-language speakers: Two are legitimate applications for finding doctors and making appointments, available via Android marketplaces in China. The others include a news app, a couple of games, and a betting and lottery app, according to Symantec.
That doesn’t mean Android users who use apps in languages other than Chinese should rest easy, though: It’s entirely plausible that infected versions of apps in English and other languages are forthcoming if not already in the wild as well.