The vulnerability allows a hacker to modify an APK's code without breaking an application’s cryptographic signature, which means it is possible for a developer to turn any legitimate application into a malicious Trojan, unnoticed by the Play Store, the device, or the end user.
These rogue apps were not discovered on Google Play, which highlights once again why customers should only get their apps from official app stores. Google itself scans applications in its Play store for malware, including those using this vulnerability. According to Symantec, both applications, which are used to find and schedule medical appointments, are legitimate, but have been modified by hackers.
The hackers modified the apps' code to allow an attacker to remotely control an Android device and collect data such as phone numbers and the device’s IMEI number. It can also deactivate some Chinese mobile security software programs.
In addition, the malware can force a device to send text messages to a premium number, a well-known type of scam in which an attacker controls the number and collects the fees charged to the victim.
BlueBox first found the vulnerability, but a second, similar vulnerability was published on a Chinese forum. The issues may affect as many as 900 million devices made over the last four years running Android versions 1.6 and higher.
Google released a fix to OEMs shortly after the flaw first became known to the public. However, typical of Android, that change to the code will have to propagate through OEMs and through carrier testing.
There is an app in the Google Play Store that purportedly fixes the issue. Notably, BlueBox has its own app in the Play Store that scans for the vulnerability, and users of the first app say it fixes the flaw.