A number of applications that harmlessly use the MasterKey vulnerability have been spotted on Google Play.
Two of the apps, Rose Wedding Cake Game – “air.RoseWeddingCakeGame v 1.1.0” and Pirates Island Mahjong Free “air.PiratesIslandMahjong v 1.0.1”, respectively have been last updated in mid-May and are increasingly popular with Android users: while the Pirates Island Mahjong Free has been installed by between 5,000 and 10,000 users, Rose Wedding Cake Game has between 10,000 and 50,000 installs.
There is no need to panic right away: the applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code -“ they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake. In contrast, malicious exploitation of this flaw focuses on replacing application code.
One thing that is particularly interesting about today’s discovery is the fact that the two applications with this behavior managed to make their way into the Play Store without raising any red flags. However, patched Android distributions such as CyanogenMod will refuse to install the application with the mention that the “Package file was not signed correctly”.
If you’re running an unpatched distribution of Android, you might want to try out our Bitdefender Mobile Security & Antivirus or to install the Antivirus Free scanner for Android, which are both available via the Play Store and detect the MasterKey exploit.