The malicious application is designed to phish out personal and financial information

Aug 3, 2013 17:06 GMT  ·  By

The notorious “master key” vulnerability in Android – the one that can be leveraged to turn legitimate apps into Trojans without breaking their cryptographic signature – is being exploited by cybercriminals.

In July, Symantec researchers uncovered a couple of Chinese Android apps that had been trojanized by exploiting the security hole. Now, Trend Micro has identified a malicious version of the application used by customers of South Korea’s NH Nonghyup Bank.

The financial institution is one of South Korea’s largest, so the mobile banking app is utilized by numerous customers.

The cybercriminals used the “master key” flaw to insert a malicious file into the legitimate application.

Besides a trojanized variant of the banking app, the crooks have also created a malicious downloadable update for the program.

When the malicious software is executed, the victim is presented with a phishing page that asks for various pieces of personal and financial information. All the entered data ends up on a server controlled by the attackers.

The applications in question have been spotted on alternative marketplaces.

“This particular finding shows just how dangerous the abuse of the master key vulnerability is to Android users. The fact that it was used to ‘trojanize’ a banking app makes the risk comparable to the online banking threats we know today, as it poses not just the risk of personal information leakage, but financial loss as well,” Trend Micro experts noted in a blog post.

To avoid falling victim to such schemes, users are advised to download applications only from trusted websites. Malicious software can make its way to reputable sites as well, but the chances to become infected with malware are not as high as when files are taken from shady marketplaces.