First Malicious Use of ‘Master Key’ Android Vulnerability Discovered

Earlier this month, we discussed the discovery of the Master Key vulnerability that allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.

Norton Mobile Insight—our system for harvesting and automatically analyzing Android applications from hundreds of marketplaces—has discovered the first examples of the exploit being used in the wild. Symantec detects these applications as Android.Skullkey.

We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments.

xxAndroid-MasterKey-1-edit.png   xxAndroid-MasterKey-2-edit.png

Figure 1. Screenshots of the two infected applications

An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available.


Figure 2. Snippet of injected code

Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions).


Figure 3. Files contained in the Android application package

We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices. Symantec recommends users only download applications from reputable Android application marketplaces. Norton Mobile Security will also protect you from these and other threats and Norton Halt can also advise if your phone is susceptible to this vulnerability.

Update [July 24, 2013] – We have discovered four additional Android applications infected by the same attacker and being distributed on third-party app sites. The apps are a popular news app, an arcade game, a card game, and a betting and lottery app. All of these apps are designed for Chinese language users.

We have also determined Android.Skullkey will send a text message to all your contacts with a link to a mobile game at This site is currently down.


Figure 4. Text message sent to all contacts, #name# is replaced with recipient contact name

The Chinese language message reads: "[NAME], please download the game [URL] let's PK in the game together and get points".

Viber’s online help desk sacked by pro-Syrian hackers

The online helpdesk for Viber, an instant-messaging and VoIP service, was defaced by pro-Syrian hackers who claimed to have accessed e-mail addresses, phone numbers, and other personal information belonging to the company's users and employees.

The defaced page bore a blue banner that read "Hacked by the Syrian Electronic Army," a reference to the pro-hacking crew that regularly breaches online accounts in the name of Syrian President Bashar al-Assad. In recent months, the group has accessed Twitter or website accounts belonging to the Financial Times, the Associated Press, The Guardian, The BBC, and Al Jazeera, to name just a few. More recently, it has reportedly breached accounts belonging to chat app developer Tango and the online news portal Daily Dot.

"We weren't able to hack all Viber systems, but most of it is designed for spying and tracking," the SEA wrote of the Israel-based company on its subdomain. The tampered page also included a large image purporting to show the IP addresses, e-mail addresses, and other details belonging to people who had accessed the company's servers. A little while later, the defacement was replaced with a simple "403 Forbidden" error message. At publication time, the page carried the same message.

Read 2 remaining paragraphs | Comments


Equal-opportunity malware targets Macs and Windows


Researchers have uncovered a family of malware that targets both Windows and OS X. Janicab.A, as the trojan is known, is also unusual because it uses a YouTube page to direct infected machines to command-and-control (C&C) servers and follows a clever trick to conceal itself.

The threat first came to light last week, when researchers from F-Secure and Webroot documented a new trojan threatening Mac users. Like other recently discovered OS X malware, Janicab was digitally signed with a valid Apple Developer ID. It also used a special unicode character known as a right-to-left override to make the infection file appear as a PDF document rather than a potentially dangerous executable file.

On Monday, researchers from Avast published a blog post reporting that Janicab can also infect computers running Windows. The strain exploits a vulnerability Microsoft patched in 2012 to install a malicious Visual Basic script that can remain active even after infected machines are restarted.

Read 2 remaining paragraphs | Comments


Use of Legit Online Translation Services in Pharmacy Spam

For the last few months, Symantec has been observing pharmacy related spam attacks where spammers are using the legitimate Google Translate service to avoid anti spam filters. 

Most of the samples received were sent from hijacked email addresses from popular free mail services. 
The majority of the messages’ subject lines were promoting either online pharmacies or well-known  tablets such as Viagra, Cialis and others. Furthermore, in an effort to make the spam immune to filters, several observed subject lines contained randomized non-English characters or words inserted at the beginning or end of the subject line. 


Figure 1. Sample subject lines

The body of the spam message contains a Google Translate link as well as promotional text explaining the advantages of ordering medicines from online websites, there’s even a discount code included for the reader.


Figure 2. Sample spam message

The mechanism of the redirection is quite complex. After clicking the link, Google Translate is meant to get a second address embedded in the link, which then redirects to a pharmacy website.

In our sample the final destination was the following pharmacy site:

  • [http://]

It is worth noting that previously spammers mostly used freewebs or URL shortening services in the second part of the link (redirection link), but recently they’ve taken advantage of country IDN top-level domains, especially Cyrillic .рф domains. In redirection links, Cyrillic domains are represented in Punycode. 

The following is an example of a link as it presented in a spam mail:

  • [http://]

Output from win-1251 decoding:

  • [http://]

With Punycode decoding:

  • [http://][http://]конггандон.рф/ipf24aeAGzLC8vs0zJMzA3NDQ0NzAEACbKBDs .aspx

Symantec is successfully blocking the majority of variations of Google Translate redirection spam and is closely monitoring for any other inappropriate use of Google Translate services in spam email. This exploit is used in spam campaigns and has not, as yet, been observed being used in the distribution of malware.