First real world 'master key' exploit discovered sneaking malware into Android apps

Two apps have been discovered on unofficial marketplaces in China that might just be the first in-the-wild exploits of the massive bug found by Bluebox two weeks ago. The so-called "master key" vulnerability, or a least an extremely close relative of it, was the point of entry for malware in these two apps, which now carry code that allows an attacker to remotely hijack a device, harvest sensitive data and even disable a number of mobile security suites. The concern here, is that this particular security hole allowed these alterations to be made without invalidating the apps' digital signatures. So, the malware was able to sneak through filters, hidden as a Trojan Horse inside pieces of legitimate software. Google has already patched the vulnerability, preventing compromised apps from slipping in to the official Play store. Additional updates addressing the flaw have been issued to carriers and manufacturers, but we all know it could be quite sometime before everyone applies the patches to their products.

Filed under: Software, Mobile, Google

Comments

Via: Ars Technica

Source: Symantec