More apps exploiting Android "Master Key" bug found
Posted on 09.08.2013
Patches for the two recently discovered Android "Master Key" bugs are still to be pushed out by many mobile carriers and device manufacturers.

In the meantime, malware developers have seized the opportunity and are making available for download seemingly legitimate and innocuous apps that have been modified to perform malicious actions.

"Master Key" bugs allow attackers to modify the code of any app without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on legitimate app stores and users' phones.

Spotted and analyzed by Sophos researchers, the latest batch of these apps were designed to collect data regarding installed applications, SMS messages, and the IMSI number of the SIM card, as well as to send text messages to a list of numbers in China.

They are also able to connect to a server located on, a domain that currently does not lead anywhere.

The thing that it's interesting to note is that the app creators tried to take advantage of a "Master Key" bug, but were obviously not experienced enough to do it well.

According to researcher Paul Ducklin, in two of the apps they modified the original files but haven't re-signed the files correctly and have invalidated the APK (Android aplication package file). With the third one - an add-on pack called Fashion for a picture-based messaging app called Lexin - they succeeded.

The researchers haven't mentioned where they have found the aforementioned apps, but given that they are designed to send messages to a Chinese number, a good bet is that they were being offed for download on Chinese third-party online app markets.

In order to prevent getting infected, Ducklin advises using a mobile AV solution and downloading apps only from Google Play Store.

But, if you are tired of waiting for the patch for the flaws, you might consider using ReKey, a mobile app that takes the upstream patch from Google and deploys it in a safe and non-destructive manner on your device.


VPN protocol flaw allows attackers to discover users' true IP address

The team running the Perfect Privacy VPN service has discovered a serious vulnerability that affects all VPN providers that offer port forwarding, and which can be exploited to reveal the real IP address of users.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th