Malicious ‘Master Key’ Android Apps Appear Online

Cyber crooks are actively taking advantage of a serious flaw affecting most Android users, which allows attackers to add malicious code to a legitimate app without altering the app’s cryptographic signature, a security company warned today.

Whilst purported exploit code had been released online, no truly malicious apps had been found taking advantage of the “master key” vulnerability until now.

Android master key

Details on the flaw are due to be expanded on by startup BlueBox at BlackHat later this month, but one clear way to exploit the flaw is to somehow tamper with an app by adding an extra file into an Android application package (APK).

To exploit the flaw, attackers add two files of the same name to an APK subdirectory called META-INF, which contains signed checksums for all the other files in the package.

But Android only validates the most recently-added file where two files have the same name. Yet it installs the second one, as Sophos explained in a blog post. That’s how hackers can sneak in infected files (a similar exploit was uncovered in China recently).

And it appears that is what hackers have now done in their attempts to steal user data.

The so-called “Skullkey” apps, two of which were uncovered by Symantec, look like legitimate applications distributed on Android marketplaces in China to help users make doctor appointments.

“An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,” Symantec said in a blog post.

“We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.

“We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices.”

A program from Duo Security and the System Security Lab at Northeastern University claims to patch the master key flaw.

Users have been advised to only download apps from reputable online stores. Google Play should be free of such nasty apps, although Trend Micro has pointed to more malicious applications that made it onto the official store.

The firm found seven rogue apps related to the eagerly anticipated game Plants Vs Zombies 2 on the Google Play store. The Android maker has now removed the malicious software.

Think you know everything about Android? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple, Google Mobile Ecosystems Should Be Investigated, CMA Told

CMA receives 'provisional recommendation' from independent inquiry that Apple,Google mobile ecosystem needs investigation

5 hours ago

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

8 hours ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

9 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

1 day ago

Former Policy Boss At X, Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

1 day ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

1 day ago