Security researchers have detected two applications that make use of the master key vulnerability on the Google Play Store.
This was coming, at least most researches would have bet on that.
The master key vulnerability was exposed some two weeks ago by Bluebox Security specialists who had discovered it earlier in the year (February) and notified Google about it. Some two months ago, mostly due to this notification by Bluebox Security, Google banned all app updates outside the official play store mechanism.
In light of these security loopholes, Google also reportedly started scanning apps on the play store. And in addition to the Bluebox security master key vulnerability, these scans are also designed to counter a similar attack discovered by Chinese security researchers.
The two apps, Rose Wedding Cake Game and Pirates Island Mahjong Free, have been last updated in mid-May and are increasingly popular among android users. For instance, Rose Wedding Cade Game has already managed at least 10,000 installations.
Android security devotees have however specified that there is no need to panic. The two applications contain two duplicate PNG files which are part of the Game’s interface. This means that they are not running any malicious code. An attacker would replace application code using the same method to be able to run a Trojan on your android device.
Although these apps aren’t harmful, surprising is the fact that they still made their way past Google’s play store scanning. Nearly all android devices are susceptible to this exploit, which has existed ever since Android Donut (version 1.6). Only the Samsung Galaxy S4 has been patched to protect against it.
Despite all these security issues, a new free application was released last week by Duo Security in collaboration with the Northeastern University’s System Security Lab to address the same. The app, ReKey, is available on the Play Store and should be installed on all android devices.
- Via The Register