Sign up for our newsletter
Technology / Cybersecurity

First malicious use of ‘Master Key’ Android vulnerability detected

The first known malicious use of Android’s "master key" vulnerability has been detected.

Norton Mobile Insight – security firm Symantec’s system for harvesting and automatically analysing Android applications from hundreds of marketplaces – discovered the first examples of the exploit being used in the wild. Symantec detects these applications as Android.Skullkey.

The bug allows attackers to install code on to phones running Google’s mobile operating system and then take control of them.
Symantec said it found six applications infected by a malicious actor. The first two identified were legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments.

The attacker had taken the applications and added code to allow them to remotely control devices, steal sensitive data, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available.

White papers from our partners

A further four additional Android applications were then discovered to have been infected by the same attacker, with them being distributed on third-party app sites. The apps are a popular news app, an arcade game, a card game, and a betting and lottery app. All of these apps are designed for Chinese language users.

A statement on Symantec’s website read: "We expect attackers to continue to leverage this vulnerability to infect unsuspecting user devices. Symantec recommends users only download applications from reputable Android application marketplaces. Norton Mobile Security will also protect you from these and other threats and Norton Halt can also advise if your phone is susceptible to this vulnerability."

Symantec has also determined Android.Skullkey will send a text message to all your contacts with a link to a mobile game at This site is currently down.

This article is from the CBROnline archive: some formatting and images may not be present.