That Android master key? Yes, it’s infecting apps — in China

When the so-called Android “master key” was announced by security researchers earlier this month, it turned out that the major vulnerability would probably not affect those downloading their apps from Google Play. Fine, some said, that covers all responsible Android users.
Except things aren’t that simple – as I noted when Baidu recently offered $1.9 billion for app distribution outfit 91 Wireless, the lack of paid apps on Google Play in China means third-party app stores are widely used, and legitimately so.
And surprise, surprise, researchers at Symantec have found that the security flaw is indeed being exploited in China. According to a blog post:

“We found two applications infected by a malicious actor. They are legitimate applications distributed on Android marketplaces in China to help find and make doctor appointments. An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available.”

Symantec went on to recommend that users “only download applications from reputable Android application marketplaces”, although it didn’t specify which marketplaces had carried these infected apps.
There are in reality many Androids, from Google(s goog)’s variety to Amazon’s(s amzn) and CyanogenMod’s and all the Chinese flavors too. This makes for a diverse platform of platforms that is not totally under Google’s control – in many ways that’s a good thing, but in this case it isn’t. When a major vulnerability strikes, there simply isn’t enough coordination to shut it down quickly and effectively for all users.