First use of Android 'Master Key' vulnerability discovered

Security specialist Symantec is reporting the first malicious use of the Android 'Master Key' vulnerability that allows hackers to inject malicious code into apps without invalidating the digital signature.

The vulnerability was discovered earlier this month but Norton Mobile Insight has now detected its first use in the wild. Mobile Insight harvests and analyzes Android apps from marketplaces around the world and has discovered the infection labelled Android.Skullkey in two applications from China. These are legitimate apps used to make appointments with doctors.

A hacker has added code to these apps allowing them to steal sensitive data such as IMEI and phone numbers. They can also remotely control the device, send premium rate SMS messages and even disable some Chinese market security apps at root level.

Symantec's official blog says, "We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices. Symantec recommends users only download applications from reputable Android application marketplaces". Naturally, it also advises that Norton Mobile Security can protect against this threat.

Photo credit: arbalet/Shutterstock