Researchers spot new breed of infected Android apps in the wild

Cyber criminals have successfully exploited a recently discovered vulnerability to infect legit apps without invalidating their digital signatures

Cyber criminals are successfully using a recently found Master Key vulnerability to inject malicious code into legitimate Android apps without invalidating their digital signatures. The code enables the attacker to remotely take control of infected devices, steal sensitive data, send texts, and disable select security applications using root commands.

The news, which comes from Symantec, certainly won't help Android's reputation for being insecure: Earlier this year, McAfee reported that Android was the mobile platform target of choice among cyber criminals. More recently, Kindsight Security Labs reported an increasing number of Android devices are infected with malware capable of transforming them into spy tools.

In this latest spate of Android infections, bad guys are exploiting the Master Key vulnerability to hide code inside apps, letting them use existing permissions to manipulate infected devices. An attacker can "remotely control devices, steal sensitive data like IMEI (International Mobile Equipment Identity) and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands," according to the company.

The perpetrator is using a recently discovered Master Key vulnerability in Android, which lets a would-be attacker inject malicious code into legitimate Android apps without invalidating their digital signatures. "Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file that contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions)," according to Symantec.

This approach represents an evolution in malicious-code injection: Previously, attackers had to change "both the application and publisher name and also sign any Trojanized app with their own digital signature. Someone who examined the app details could instantly realize the application was not created by the legitimate publisher," Symantec reported earlier this month. "Now that attackers no longer need to change these digital signature details, they can freely hijack legitimate applications, and even an astute person could not tell the application had been repackaged with malicious code."

Notably, the six infected apps spotted by Symantec are all geared toward Chinese-language speakers: Two are legitimate applications for finding doctors and making appointments, available via Android marketplaces in China. The others include a news app, a couple of games, and a betting and lottery app, according to Symantec.

That doesn't mean Android users who use apps in languages other than Chinese should rest easy, though: It's entirely plausible that infected versions of apps in English and other languages are forthcoming if not already in the wild as well.

This story, "Researchers spot new breed of infected Android apps in the wild," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.

How to choose a low-code development platform