Symantec Reports First Android Master Key Hacks Have Begun

Sometimes it stinks being right. To wit, Symantec earlier this month talked about the discovery of a so-called "Master Key" vulnerability in Android that would allow remote attackers to inject malicious code into legitimate apps without invalidating the signature. Symantec called it a "serious Android vulnerability," fearing that it would quickly be spotted in the wild. Less than a month later, Symantec was proven right.

Norton Mobile Insight—our system for harvesting and automatically analyzing Android applications from hundreds of marketplaces—has discovered the first examples of the exploit being used in the wild," Symantec stated in a blog post. "Symantec detects these applications as Android.Skullkey. We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments."

Chines Android Apps

In both cases, an attacker added code that allows him/her to remotely control devices, steal sensitive data, send premium SMS messages, and even disable a few Chinese mobile security software apps by using root commands (if available), Symantec says.

Due to the low level of difficulty, Symantec expects attackers to continue leveraging the vulnerability. As always, it's recommended you only download apps from trusted sources (Symantec said it's found four additional instances of this attack on third-party app sites), and of course Symantec would love it if you ran their security software on your mobile device (can we say vested interest?).