Attackers have begun exploiting a major Android vulnerability that allows them to take over a victim's phone without altering the digital signature of a targeted app.
The attacks exploited the “master key” flaw in several popular apps marketed to Chinese-speaking Android users.
This enabled attackers to remotely control victims' phones, send premium SMS messages and disable security software on the device, Symantec researchers said.
In addition, they could steal data stored on the phone, such as international mobile station equipment identity (IMEI) and phone numbers.
So far, researchers have detected six hijacked apps affecting Android users: a popular card game, an arcade game, a betting and lottery app, a news app and two apps that help users find and schedule doctor's appointments.
Symantec security response manager Satnam Narang said the infected apps were found in third-party online stores in China, but only time will tell whether the threat will make its way to the United States.
Earlier this month, news about the master key vulnerability spread rapidly because it affected most Android devices.
San Francisco-based Bluebox Security, which discovered the flaw, found that an estimated 900 million devices were impacted since the bug can be exploited in any Android phone released in the last four years.
Worse yet, Jeff Forristal, CTO at Bluebox, revealed that the exploit can be carried out without an app's cryptographic signature being modified. An alternation to the signature normally serves as a red flag that a legitimate app has been "trojanized" or tampered with in some way.
SC reached out to Google to inquire about what the company may be doing to prevent apps in its official Android app store from being impacted, but did not immediately hear back.
Forristal plans to reveal more details about the vulnerability at the Black Hat conference next week in Las Vegas.