First Malicious Use of ‘Master Key’ Android Vulnerability Discovered

Earlier this month, we discussed the discovery of the Master Key vulnerability that allows attackers to inject malicious code into legitimate Android applications without invalidating the digital signature. We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has.

Norton Mobile Insight—our system for harvesting and automatically analyzing Android applications from hundreds of marketplaces—has discovered the first examples of the exploit being used in the wild. Symantec detects these applications as Android.Skullkey.

We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments.
 

xxAndroid-MasterKey-1-edit.png   xxAndroid-MasterKey-2-edit.png

Figure 1. Screenshots of the two infected applications
 

An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available.
 

xxAndroid-MasterKey-3-edit.png

Figure 2. Snippet of injected code
 

Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions).
 

xxAndroid-MasterKey-4-edit.png

Figure 3. Files contained in the Android application package
 

We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices. Symantec recommends users only download applications from reputable Android application marketplaces. Norton Mobile Security will also protect you from these and other threats and Norton Halt can also advise if your phone is susceptible to this vulnerability.
 

Update [July 24, 2013] – We have discovered four additional Android applications infected by the same attacker and being distributed on third-party app sites. The apps are a popular news app, an arcade game, a card game, and a betting and lottery app. All of these apps are designed for Chinese language users.

We have also determined Android.Skullkey will send a text message to all your contacts with a link to a mobile game at hldc.com. This site is currently down.
 

4-android-skullkey-sms.png

Figure 4. Text message sent to all contacts, #name# is replaced with recipient contact name
 

The Chinese language message reads: "[NAME], please download the game [URL] let's PK in the game together and get points".