July 31, 2013

Russian anti-virus company Doctor Web discovered the first malignant application for Android that spreads by exploiting the vulnerability Master Key. Android.Nimefas.1.origin can send text messages, transmit confidential information to criminals and allows intruders to remotely execute certain commands on the infected mobile device. Currently the Trojan is spread with games and applications which are available for downloading from a Chinese catalogue of applications for Android. However, it is possible that in the near future, there will be more malware exploiting the vulnerability Master Key and thus the threat geography will expand too.

When information about the vulnerability Master Key appeared in the public domain, most security experts were confident that criminals will take advantage of it sooner or later/ since technically, the flaw is quite easy to exploit. Indeed, a corresponding exploit appeared in less than a month after details of the vulnerability had been disclosed.

The recently discovered Trojan, dubbed by Dr.Web as Android.Nimefas.1.origin, spreads with Android applications as a modified dex-file located in the same directory as the original dex-file of the program. Recall that the vulnerability Master Key concerns installation of applications under Android: if an apk-package contains a subdirectory with two files that have the same name, the operating system verifies the digital signature of the first file, but installs the second one, whose signature hasn't been validated. Thus, intruders bypass the security mechanism that prevents installation of applications that have been modified by a third party.

The screeenshot below provides an example of an application distribution that takes advantage of the vulnerability to install Android.Nimefas.1.origin:

When launched on a device, the Trojan first checks if a service of a known Chinese anti-virus is running in the system.

If at least one such service is detected, Android.Nimefas.1.origin searches for the files "/system/xbin/su" or "/system/bin/su" to determine if root access is available. If a file is found, the Trojan process is terminated. If none of the above conditions is met, the malware keeps running.

Android.Nimefas.1.origin sends the device’s IMSI at a phone number, chosen at random from the available list.

After that the Trojan sends short messages to all numbers found in the infected device's phone book. The message text is downloaded from a remote server. Information about contacts to which the message has been sent, it transferred to the same server. The malware can send arbitrary SMS messages to various numbers. All the necessary data (message text and phone numbers) is acquired from a command and control server.

The Trojan can also hide incoming messages from the user. A corresponding filter to conceal messages by their text or number is also downloaded from attackers' server.

Currently, the remote server, used by cybercriminals to control the malware, is no longer functioning.

To date, Android.Nimefas.1.origin poses the greatest threat to Chinese users because it spreads with a large number of games and applications available via a Chinese software catalogue. The site's administration has already been notified about the problem. However, it is possible that in the near future malware exploiting the vulnerability Master Key will grow in number and thus the threat geography will expand too. While manufacturers of mobile Android-devices do not release corresponding updates of the operating system to close this vulnerability, many devices can be affected by such malicious applications. Provided that a large number of devices available on the market are no longer supported by their manufacturers, their owners are likely to get no protection at all.

All devices running Dr.Web anti-virus for Android are protected from Android.Nimefas.1.origin: the technology Origins Tracing™ makes sure that Dr.Web detects this Trojan. In addition, an apk-file that contains this malware is detected by Dr.Web as Exploit.APKDuplicateName.