Trojan Jumps on Android Master Key Bug

Monday, August 5, 2013 @ 06:08 PM gHale


A Trojan exploiting a master key vulnerability in Android is infecting smartphones and tablets.

The Android.Nimefas.1.origin Trojan brings attackers options for powers over the infected Android device, according to Russian security firm Dr Web, which found the malware.

RELATED STORIES
Android Master Key Exploits Out
Android ‘Master Key’ Bug Exploits
New Android RAT Malware
Music App a Political Android Trojan

“Android.Nimefas.1.origin can send text messages, transmit confidential information to criminals and allows intruders to remotely execute certain commands on the infected mobile device,” Dr Web officials said.

The Trojan exploits a master key vulnerability to bypass Android’s inbuilt defenses, Dr Web said.

“Recall that the vulnerability master key concerns installation of applications under Android: If an APK package contains a subdirectory with two files that have the same name, the operating system verifies the digital signature of the first file, but installs the second one, whose signature hasn’t been validated. Thus, intruders bypass the security mechanism that prevents installation of applications that have been modified by a third party,” Dr Web said.

“The recently discovered Trojan spreads with Android applications as a modified dex-file located in the same directory as the original dex-file of the program.”

The Russian security firm said the attack has several other detection-dodging powers. “When launched on a device, the Trojan first checks if a service of a known Chinese antivirus is running in the system. If at least one such service is detected, Android.Nimefas.1.origin searches for the files “/system/xbin/su” or “/system/bin/su” to determine if root access is available. If it finds a file, the Trojan process terminates. If none of the above conditions is met, the malware keeps running,” Dr Web said.

“The Trojan can also hide incoming messages from the user. A corresponding filter to conceal messages by their text or number is also downloaded from [the] attacker’s server.”

Dr Web said the attack is currently focusing on Chinese Android users, but will likely soon expand to target other regions. “To date, Android.Nimefas.1.origin poses the greatest threat to Chinese users because it spreads with a large number of games and applications available via a Chinese software catalogue.”

“The site’s administration has already been notified about the problem. However, it is possible that in the near future malware exploiting the vulnerability master key will grow in number and thus the threat geography will expand too,” Dr Web said.

Bluebox Security first discovered the master key vulnerability. Google released a patch for the vulnerability to carriers and hardware partners. Dr. Web said exploits targeting the master key will continue to appear and spread until mobile phone manufacturers update their devices to run the latest Jelly Bean version of Android, which contains the fix.

“While manufacturers of mobile Android devices do not release corresponding updates of the operating system to close this vulnerability, many devices can be affected by such malicious applications,” Dr Web said.

“Provided that a large number of devices available on the market are no longer supported by their manufacturers, their owners are likely to get no protection at all.”



Leave a Reply

You must be logged in to post a comment.