All the latest UK technology news, reviews and analysis

Crooks using Android master key to sneak Trojans onto smartphones and tablets

01 Aug 2013
Google Android Malware

A Trojan exploiting a master key vulnerability in Android has been uncovered infecting smartphones and tablets.

Russian security firm Dr Web found the malicious Android.Nimefas.1.origin Trojan, warning that it offers criminals a variety of powers over the infected Android device

"Android.Nimefas.1.origin can send text messages, transmit confidential information to criminals and allows intruders to remotely execute certain commands on the infected mobile device," said Dr Web's statement.

Dr Web reported that the Trojan exploits a master key vulnerability to bypass Android's inbuilt defences.

"Recall that the vulnerability master key concerns installation of applications under Android: if an APK package contains a subdirectory with two files that have the same name, the operating system verifies the digital signature of the first file, but installs the second one, whose signature hasn't been validated. Thus, intruders bypass the security mechanism that prevents installation of applications that have been modified by a third party," read the statement.

"The recently discovered Trojan spreads with Android applications as a modified dex-file located in the same directory as the original dex-file of the program."

The Russian security firm said the attack has several other detection-dodging powers. "When launched on a device, the Trojan first checks if a service of a known Chinese antivirus is running in the system. If at least one such service is detected, Android.Nimefas.1.origin searches for the files "/system/xbin/su" or "/system/bin/su" to determine if root access is available. If a file is found, the Trojan process is terminated. If none of the above conditions is met, the malware keeps running," read the statement.

"The Trojan can also hide incoming messages from the user. A corresponding filter to conceal messages by their text or number is also downloaded from [the] attacker's server."

Dr Web said the attack is currently focusing on Chinese Android users, but will likely soon expand to target other regions. "To date, Android.Nimefas.1.origin poses the greatest threat to Chinese users because it spreads with a large number of games and applications available via a Chinese software catalogue."

"The site's administration has already been notified about the problem. However, it is possible that in the near future malware exploiting the vulnerability master key will grow in number and thus the threat geography will expand too," read the statement.

The master key vulnerability was first uncovered by Bluebox Security. Google has released a patch for the vulnerability to carriers and hardware partners. Dr. Web said exploits targeting the master key will continue to appear and spread until mobile phone manufacturers update their devices to run the latest Jelly Bean version of Android, which contains the fix.

"While manufacturers of mobile Android devices do not release corresponding updates of the operating system to close this vulnerability, many devices can be affected by such malicious applications," read the statement.

"Provided that a large number of devices available on the market are no longer supported by their manufacturers, their owners are likely to get no protection at all."

The campaign is similar to the Android.Skullkey attack discovered by Symantec earlier this month, which also targeted the Android Master Key vulnerability. It is currently unclear if the two campaigns are linked. At the time of publishing Symantec and Dr Web had not responded to V3's request for comment.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

BI Analyst - Stakeholder Management

BI Analyst - Stakeholder Management A large insurance...

Data Warehouse Developer - SQL, SSIS, SSAS, MDX

Data Warehouse Developer - SQL, SSIS, SSAS, MDX A fast...

SQL Server DBA

SQL Server DBA - Southampton - Up to £50,000 - An experienced...

JavaScript Developer

ExtJS Web Developer, Contract, 3 months, Reading, £300...
To send to more than one email address, simply separate each address with a comma.