Earlier this month, security firm Symantec revealed details of serious Android vulnerability that it had detected – ‘Master Key’.
Android applications require a digital signature, which ensures that the code within the app has not been tampered with. It is also a sign that the code was provided by the official publisher.
According to Symantec, Android utilises an app-level permission system where each app must declare and receive permission to perform sensitive tasks. Digital signing prevents apps and their accompanying permissions from being hijacked.
The Master Key vulnerability allows attackers to inject malicious code into legitimate apps without invalidating the digital signature.
This enables an attacker to hide code within a legitimate application and use existing permissions to perform sensitive functions through those apps.
The details of this serious vulnerability were going to be revealed at this year’s Black Hat USA 2013 exhibition, July 27-August 1. The seriousness of the vulnerability has, however, prompted Symantec to reveal details prior to the event.
The security firm has now discovered six malicious uses of this Master Key vulnerability. Apps that have been attacked include popular news app, an arcade game, a card game, a betting and lottery app, and a medical clinic booking app. All of the apps are designed for Chinese language users.
I’m sure Symantec will be watching over any developments regarding the Master Key with a keen eye. Perhaps we will discover more when Black Hat kicks off – I’m sure it will be a major talking point.