AUGUST 9, 2013
Your regular source of security updates from TrendLabsSM
In This Issue

Security Spotlight
Mobile Threats: In It to Win the Threat Race

Security for Home Users
Master Key Vulnerability Unlocks Your Phone to Malware

Security for Business
Coping with Evolution: Virtual Patching for Mutating Bugs and Businesses



Security for Home Users

Master Key Vulnerability Unlocks Your Phone to Malware

Thanks to the bug, the OS can’t identify the malicious update as a security risk, allowing the bad guys to modify the legitimate app without alerting the user.”



Cybercriminals can use the Android master key vulnerability to turn legitimate apps into malicious ones. They turned a popular online banking app, for instance, into an information stealer.

Master Key, Master Threat

Early last July, security researchers announced the discovery of a new Android mobile phone vulnerability. Called the “master key” vulnerability, it allowed cybercriminals to insert malicious code into legitimate apps installed in mobile devices by way of maliciously crafted app updates. To date, it has been reported that 99% of Android devices are affected by this bug.

Inserting the malicious code into a legitimate app makes it perform malicious routines ranging from information theft to actual device security compromise. Thanks to the bug, the OS can’t identify the malicious update as a security risk, allowing the bad guys to modify the legitimate app without alerting the user.

South Korean Bank Targeted

An actual incident was then discovered late this July. The malicious update targeted the online banking app of NH Nonghyub Bank, one of South Korea’s biggest financial institutions. The app is used by a lot of mobile device owners, having been installed as many as 5–10 million times.

Cybercriminals took advantage of the app’s popularity by releasing a malicious update of their own on third-party sites. This supposed update exploits the master key vulnerability, letting a malicious file in to the online banking app without being detected. Should a user run the Trojanized app, it will display a spoofed page asking for his online banking account information. The data is then sent to cybercriminals who will use it to compromise the victim’s account. Because the OS still recognizes the Trojanized app as legitimate, it may be too late before the user discovers he’s been victimized.

Dangerous but Defendable

Like all mobile threats though, you can stay protected from this, too. All you need to do is download apps and updates only from trusted sources, preferably from official first-party sources or app stores. Trend Micro customers are protected via the Trend Micro™ Mobile Security app, which has been specifically updated to detect apps that exploit the master key vulnerability.

Copyright ©2013 Trend Micro Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company and/or product names may be trademarks or registered trademarks of their respective owners. The information contained in this document is subject to change without prior notice.

www.trendmicro.com

  CONNECT WITH US ON: