Researchers have spotted the first in-the-wild apps to exploit a critical Android vulnerability allowing attackers to inject malicious code into legitimate programs without invalidating their digital signature.
The two apps, distributed on unofficial Android marketplaces in China, help people find doctors and make appointments, according to a blog post published Tuesday by researchers from security firm Symantec. By exploiting the recently disclosed "master key" vulnerability—or possibly a separate Android flaw that's closely related (English translation here)—attackers were able to surreptitiously add harmful functions to the apps without changing the cryptographic signature that's supposed to ensure the apps haven't been modified.
"An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," a Symantec researcher wrote. "Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions)."