Blog Post

That Android master key? Yes, it’s infecting apps — in China

When the so-called Android “master key” was announced by security researchers earlier this month, it turned out that the major vulnerability would probably not affect those downloading their apps from Google Play. Fine, some said, that covers all responsible Android users.

Except things aren’t that simple – as I noted when Baidu recently offered $1.9 billion for app distribution outfit 91 Wireless, the lack of paid apps on Google Play in China means third-party app stores are widely used, and legitimately so.

And surprise, surprise, researchers at Symantec have found that the security flaw is indeed being exploited in China. According to a blog post:

“We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments. An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available.”

Symantec went on to recommend that users “only download applications from reputable Android application marketplaces”, although it didn’t specify which marketplaces had carried these infected apps.

There are in reality many Androids, from Google(s goog)’s variety to Amazon’s(s amzn) and CyanogenMod’s and all the Chinese flavors too. This makes for a diverse platform of platforms that is not totally under Google’s control – in many ways that’s a good thing, but in this case it isn’t. When a major vulnerability strikes, there simply isn’t enough coordination to shut it down quickly and effectively for all users.

3 Responses to “That Android master key? Yes, it’s infecting apps — in China”

  1. Kindroid

    No news here. Google protects Android through the Google Play Store. If you go outside the store…your on your own. No different than iOS App store or WP store. If some how you downloaded an app on either of those platforms…you would be vulnerable to malicious attacks.

      • milindrao

        There is Google Play in China, but not all Android manufacturers have agreements with Google for providing it with their phones. For me, an Android phone without Google Services is useless. But for many, obviously it isn’t. Amazon App store is also available for free and paid apps. If Baidu can pay $2 billion for an app store, they can afford to make it secure and it’s in their own interest to do so.

        No surprise here that a company hawking security apps wants to announce finding malware. Of course, they all appear on either stores in Russia and China. And from sites with pirated apps. In my opinion serves people right for using pirated apps.