Researchers have spotted the first in-the-wild apps to exploit a critical Android vulnerability allowing attackers to inject malicious code into legitimate programs without invalidating their digital signature.

The two apps, distributed on unofficial Android marketplaces in China, help people find doctors and make appointments, according to a blog post published Tuesday by researchers from security firm Symantec. By exploiting the recently disclosed "master key" vulnerability—or possibly a separate Android flaw that's closely related (English translation here)—attackers were able to surreptitiously add harmful functions to the apps without changing the cryptographic signature that's supposed to ensure the apps haven't been modified.

"An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available," a Symantec researcher wrote. "Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions)."

Despite its name, the master key vulnerability doesn't involve any cracking of the underlying cryptography in the Android security model. Rather, it hides two files with the same name inside an app's "APK." Short for Android package, APKs are in essence bit-compressing .ZIP archive files that use a different extension and contain specially named files inside. Android's cryptographic verifier checks signatures for the first instance of any file with duplicate names, according to Sophos's Paul Ducklin, but the installer extracts and deploys only the last version. The exploit, developed by researchers from security startup Bluebox, works by including an APK's digitally signed, legitimate file and a second file with the same name that's modified to do whatever the attacker wants.

A related attack works in much the same way, except it always involves stashing two different versions of a file titled classes.dex. It works only when the targeted file contained in an APK is of a specific byte length, so it's not as flexible as the master key attack. The mention of the classes.dex file in Tuesday's blog post from Symantec suggests the malicious apps may have made use of this related exploit. For an explanation of the classes.dex attack and how it differs from the master key exploit, see posts here and here from Kaspersky Lab and Sophos.

First but probably not the last

Google has already issued updates to prevent attackers from using the exploits to tamper with legitimate apps found in the official Play Marketplace. The company has also released updates to handset manufacturers and carriers. But given the track record of millions of Android phones that never, or only rarely, receive updates to patch dangerous security vulnerabilities, it's a fair bet that many handsets will remain vulnerable. Readers are strongly encouraged to obtain apps only from the Google Play marketplace and to think long and hard before changing default settings preventing the "side loading" of apps from alternative sources. A variety of apps, including this one from Bluebox and Norton Mobile Security from Symantec, will also flag apps modified by one or both of these exploits.

While researchers have identified several apps available in Google Play that exploit the master key bug, those modifications appear to have been inadvertent and harmless. The apps spotted by Symantec appear to be the first reports of a malicious exploit. They probably won't be the last.