14 DAY TRIAL // A proof-of-concept exploit for the “master key” vulnerability in Android has already been made public, so it could be only a matter of time until we see some Trojanized apps that leverage the flaw.
In the meantime, Bitdefender experts have spotted a couple of fairly popular applications on Google Play that exploit the vulnerability. The apps in question are Rose Wedding Cake Game and Pirates Island Mahjong Free, both updated in mid-May.
However, in this case, the bug is not leveraged for malicious purposes.
“The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” Bitdefender’s Bogdan Botezatu explained.
“In contrast, malicious exploitation of this flaw focuses on replacing application code,” he noted.
While the apps are not malicious, the discovery does show that applications leveraging the cryptographic signature vulnerability don’t raise any red flags when published on Google Play.
Google has already addressed the vulnerability and OEMs are said to be working on it. However, because of Android’s fragmentation, it will take some time until the patch reaches end-users.
That’s why Android device owners should consider the alternatives. For instance, CyanogenMod users are already protected against the exploit.
Duo Security has released an app called ReKey that’s designed to address the vulnerability on rooted devices. In addition, Bitdefender and other security solutions providers have updated their mobile products for Android to make sure they detect applications that abuse the master key flaw.