Android Malware Spotted Exploiting 'Master Key' Flaw
When security researchers expose software vulnerabilities, it often doesn't take long for malware writers to exploit those vulnerabilities.
So it is with the Android "master key" vulnerability found (but not revealed) earlier this month by security startup Bluebox Security, and fully disclosed by two independent researchers who figured out what Bluebox was up to.
Two apps found in Chinese-language "off-road" app markets by security company Symantec replicate Bluebox's exploit by sticking not one, but two "classes.dex" files in each installation package.
Because classes.dex is the actual app code, that means a malicious coder could put two apps in the same installation package, a real one and a malicious one.
Unfortunately, that makes the Android installation routine fall for a bait-and-switch trick. The routine will verify the first app as legitimate, but install the second, letting the impostor get through.
The malicious Chinese apps are modified versions of legitimate apps that help users find doctors and schedule medical appointments.
"An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI [handset IDs] and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," said a posting on Symantec's Security Response blog.
Bluebox tipped off Google about the flaw in February, and Google has since fixed both the Google Play app store and the Android operating system.
But because few devices actually run "stock" Android unmodified by device manufacturers, that means millions of devices are still vulnerable to this exploit.
To stay safe, make sure your Android security settings are set to not allow installation of software from "unknown sources" — i.e., anything other than Google Play.
Unfortunately, if you're in China, you can't really do that. Due to Google's ongoing beef with the Chinese government, Chinese users of Android can't install paid apps from Google Play, which often doesn't even come pre-installed on Chinese phones.
That makes off-road app markets essential for Chinese Android users — and makes those users especially vulnerable to all sorts of Android malware exploits.
Follow Paul Wagenseil @snd_wagenseil.