Anti-malware software maker Symantech has discovered a master key vulnerability allowing hackers to add malicious codes into legitimate software without interfering with the digital signature.
Symantech said its Norton Mobile Insight System has detected the first examples after analysing hundreds of apps on the Android platform.
Symantech discovered two infected apps in China, which were legitimate health apps and used to find and make appointments with doctors.
In other apps all in the Chinese language the attack was carried through third party apps by the same hacker and included a popular news app, a card game, a betting and a lottery app.
According to Symantech, the hacker in the case of these apps, added a code into the applications allowing them to access sensitive data including their phone numbers and IMEI, as well as being able to send SMS.
The hacker by the modification can further disable a number of mobile security software applications using root commands.
“Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions),” said the company on itsa href=”http://www.symantec.com/connect/blogs/first-malicious-use-master-key-android-vulnerability-discovered”>blog showing how the attack was perpetrated in a second example.
Symantech now advises users to download applications from “reputable Android application marketplaces” as well as install established mobile security software.
