A recently discovered software security vulnerability that exposed as many as 99 percent of Android phone users at the time it was revealed is now being actively exploited, according to researchers at Symantec. The vulnerability enables attackers to modify legitimate Android applications without tampering with the cryptographic signature, thus allowing them to implant malware and seize control of key device functions without detection. The applications currently known to be infected are all for Chinese language users.
A recent Symantec blog post first observed that two Chinese applications that are used to find and schedule doctor appointments had been infected and researchers noted that the flaw would likely continue to be exploited for the foreseeable future. The exploit allows an attacker to remotely control devices, steal private data such as phone or IMEI numbers, send premium SMS messages and disable certain mobile security applications.
Since the initial discovery, the security company has found four more applications infected by the same attacker, including a news app, an arcade game, a card game and a lottery app. All of the applications are for Chinese users and being distributed on third party app stores. The appearance of the exploit took less than a month since it was first disclosed, a fact that did not surprise Symantec researchers.
“We expected the vulnerability to be leveraged quickly due to ease of exploitation, and it has,” they wrote.
Google quickly patched the error when it was first discovered, and it is scanning applications in its Play store to root out any malicious offenders, PCWorld noted. Users are advised to only download applications from trusted marketplaces.
The rapid appearance of an exploit for the flaw and the extent to which it can affect infected phones should also serve as a warning for developers and device manufacturers, who can best ensure they address software security needs by securing code during the development process. Using tools such as static analysis software, organizations can catch flaws and minimize the likelihood of harmful exploits.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.