Researchers have unearthed another malicious app exploiting a critical vulnerability in Google's Android OS that allows attackers to inject malicious code into legitimate programs without invalidating their digital signature.

The threat poses as an update for the official Android app available to customers of NH Nonghyup Bank, one of South Korea's biggest financial institutions, according to a blog post published Friday by researchers from antivirus provider Trend Micro. By exploiting the so-called master-key vulnerability in the mobile OS, this malware bears the same cryptographic signature found in the legitimate release, even though the update contains malicious code that uploads user credentials to a remote server.

The good news is that the app verification tool Google released in Android 4.2 late last year flags these malicious apps. And according to this recent post, Google developers have added the protection to earlier versions and turned it on by default. The verification tool checks the authenticity of apps downloaded both from the official Google Play marketplace and alternative sources as well. As an added safety measure, users should avoid these alternative marketplaces unless there's a strong case for doing otherwise.

Still, the existence of apps that actively exploit the Android vulnerability suggests that the master-key vulnerability hasn't gone unnoticed by professional malware developers. Two additional apps reported two weeks ago show this isn't an isolated incident. It's good to know Google has deployed a means for all recent versions of Android to flag these apps, but the fact that these apps exist shows this exploitation technique is (or at least was) worth the time to implement.