First Two Apps Infected With Android Master Key Vulnerability Uncovered By Symantec

Google’s Android may be in the news for all the right reasons at the moment, but just a few days ago, security vendor Bluebox Security announced that it had discovered a way that malicious code could be injected into otherwise entirely legitimate Android applications. Now, it would appear, this issue is more than just a theory after security firm Symantec announced in a blog post that it had discovered two apps that had fallen foul of the exploit, named Master Key exploit.

The two apps currently reside in a Chinese Android app store, and both are apps that are used to find medical appointments in the area. Unfortunately, it would seem that both have fallen victim to the recently discovered ‘Master Key’ security hole that Bluebox told us about not that long ago.

According to Symantec, the injected code allows an attacker to remotely control the infected device, meaning it can be used in order to send SMS messages to a premium number, for example. The attacker would then collect the spoils of those SMS messages, making it a potentially lucrative exercise.

Google has already issued patches for both this exploit and a similar one that was posted to a Chinese forum not long after, though the nature of Android means that the platform is reliant on both carriers and hardware vendors to incorporate those patches into their software. This means that there are potentially circa 900 million Android devices that are affected by the two security flaws – a number that would concern anyone. If 900 million doesn’t concern you, think of it this way; just under a billion devices.


Google, for its part, is currently scanning its Google Play Store in order to weed out any infected applications, and has recently suggested that users only download apps that are available on popular and recognized app stores. With Google effectively allowing anyone to run their own store, as well as making it possible to side-load apps, the only real way to ensure security is to get Google’s new patches onto as many devices as quickly as possible.

We have said it time and time again, it’s good to have apps onboard which constantly keep a check on your device and your personal files. To scan and see whether or not your device is affected by the Master Key exploit, give Bluebox Security Scanner for Android a shot.

(Source: Symantec)

You can follow us on Twitter, add us to your circle on Google+ or like our Facebook page to keep yourself updated on all the latest from Microsoft, Google, Apple and the web.