A proof-of-concept exploit for the “master key” vulnerability in Android has already been made public, so it could be only a matter of time until we see some Trojanized apps that leverage the flaw.
In the meantime, Bitdefender experts have spotted a couple of fairly popular applications on Google Play that exploit the vulnerability. The apps in question are Rose Wedding Cake Game and Pirates Island Mahjong Free, both updated in mid-May.
However, in this case, the bug is not leveraged for malicious purposes.
“The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” Bitdefender’s Bogdan Botezatu explained.
“In contrast, malicious exploitation of this flaw focuses on replacing application code,” he noted.