Symantec (SYMC) has discovered two mobile apps on Chinese Android marketplaces in which hackers have compromised validated applications by exploiting the so-called “master key” vulnerability, according to its security blog.
Earlier this month, Bluebox Labs, a security specialist, uncovered a weakness in Google’s (GOOG) Android operating system that could enable cyber attackers to take over a user’s smartphone. The flaw, which dates back to Android version 1.6 and could affect some 900 million devices, involves the cryptographic signature of authentic Android applications, which is an assurance that the software hasn’t been meddled with by parties other than the actual developer.
Bluebox researchers discovered how to deceive Android’s way of checking the validation signatures to enable malware code to slip by unnoticed. At the time, no hacker had exploited the security loophole, making the danger more theoretical than imminent.
Well, according to Symantec, that’s no longer the case. The security vendor uncovered what it called “legitimate applications” for locating doctors and making appointments that had been infected by malware without compromising their authentication.
“Earlier this month, we discussed the discovery of the Master Key vulnerability that allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has,” Symantec researchers wrote in the blog post.
“Norton Mobile Insight—our system for harvesting and automatically analyzing Android applications from hundreds of marketplaces—has discovered the first examples of the exploit being used in the wild.”
This surely is bad news. Two weeks ago, Google starting shipping a patch to OEMs to ship to customers, meaning Android-based smartphone users will have to rely on their hardware vendors for the security update. At the time, a Google spokesperson said the vendor has “not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue — and Verify Apps provides protection for Android users who download apps to their devices outside of Play."
Google may have to look again, and perhaps closer this time. “We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices,” wrote Symantec.