Symantec spots two Android apps using 'master key' vulnerability

The applications help Chinese users schedule medical appointments

Hackers are now using a critical vulnerability in Android to modify legitimate smartphone applications, putting users at risk of being spied on.

Security vendor Symantec wrote on Tuesday that it found two applications being distributed in Chinese Android marketplaces that have employed the "master key" vulnerabilities discovered earlier this month.

Both applications, used to find and schedule medical appointments, are legitimate but have been modified by hackers, Symantec wrote on its blog.

Inserted into the programs is code that lets an attacker remotely control an Android device and collect data such as phone numbers and the device's IMEI number. It can also deactivate some Chinese mobile security software programs.

Additionally, the code can command a device to send SMSes to a premium number, a scam where an attacker controls the number and collects the fees charged to the victim.

One of the master key vulnerabilities was uncovered by a mobile security vendor, Bluebox Security. The company found that an Android package file, used to install an application, could be modified in a way that did not affect the application's original cryptographic digital signature. The signature verifies an application's integrity. A second, similar vulnerability was published on a Chinese forum.

Google quickly issued patches for the problems, which may affect as many as 900 million devices made over the last four years running Android versions 1.6 and higher.

Mobile phone operators must either send a patch out to users, which can be a slow process, or users must apply a patch themselves, which is unlikely for less-sophisticated smartphone users. Some security vendors have issued their own software to fix the vulnerability.

Google is scanning applications in its Play store to weed out programs that might be infected. Symantec also gave the usual security advice for users to only download applications from reputable Android marketplaces.

"We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices," the company wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags symantecsecurityMobile OSesmobileExploits / vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?