Researchers have spotted the first in-the-wild apps to exploit a critical Android vulnerability allowing attackers to inject malicious code into legitimate programs without invalidating their digital signature.The two apps, distributed on unofficial Android marketplaces in China, help people find doctors and make appointments, according to a blog post published Tuesday by researchers from security firm Symantec. By exploiting the recently disclosed “master key” vulnerability—or possibly a separate Android flaw that’s closely related (English translation here)—attackers were able to surreptitiously add harmful functions to the apps without changing the cryptographic signature that’s supposed to ensure the apps haven’t been modified.”An attacker has taken both of these applications and added code to allow them to remotely control devices, steal sensitive data such as IMEI and phone numbers, send premium SMS messages, and disable a few Chinese mobile security software applications by using root commands, if available,” a Symantec researcher wrote. “Using the vulnerability, the attacker has modified the original Android application by adding an additional classes.dex file (the file which contains the Android application code) and also adding an additional Android manifest file (the file which specifies permissions).”Despite its name, the master key vulnerability doesn’t involve any cracking of the underlying cryptography in the Android security model. Rather, it hides two files with the same name inside an app’s “APK.” Short for Android package, APKs are in essence bit-compressing .ZIP archive files that use a different extension and contain specially-named files inside. Android’s cryptographic verifier checks signatures for the first instance of any file with duplicate names, according to Sophos’s Paul Ducklin, but the installer extracts and deploys only the last version. The exploit, developed by researchers from security startup Bluebox, works by including an APK’s digitally signed, legitimate file and a second file with the same name that’s modified to do whatever the attacker wants.