Symantec Discovers Two Android Apps with ‘Master Key’ Vulnerabilities

Android Apps on Mobile Devices | Official Website

Android Apps on Mobile Devices | Official Website

It was recently discovered that hackers are taking advantage of a critical vulnerability in Android to modify legitimate mobile device apps.

In a blog posted by security vendor Symantec last Tuesday, they discovered two apps that were being distributed in the Chinese Android marketplace. Both use the so-called “master key” vulnerability that was discovered earlier this month.

How it Works

The apps, which are used to find and schedule medical appointments, are legitimate. However, they were modified by hackers.

Inside each app is a code that allows the culprit to remotely control an Android device. It will then collect data such as phone numbers and the device’s IMEI number. The vulnerability can also deactivate some Chinese mobile security software programs.

Moreover, the code can instruct an Android device to send SMS to a premium. It is a scam wherein a hacker controls the number and collects the victim’s fees.


Prior to this, Bluebox Security discovered one of the master key vulnerabilities that can affect as many as 900 million devices. It was followed by a patch quickly released by Google. Some security vendors also issued their own software fix.

Leave a Comment