A vulnerability in Android, named MasterKey, was discovered in 2013. It uses the features of the operating system's way to validate and process the content of .APK files during the applications installation. By using this vulnerability, attackers can install any malicious program on affected mobile device in the guise of legitimate application—this is achieved by modifiing software packages without affecting the integrity of their digital signature; so, during installation, they are considered unmodified by Android.
This vulnerability is being exploited successfully by some Trojans for Android, e.g. Android.Nimefas.1.origin, discovered by Doctor Web's security researchers. This Trojan is capable of executing attackers' commands (e.g send a bulk of short messages or intercept incoming messages; gather information about the mobile device and contacts from the address book, etc).
Dr.Web anti-virus for Android detects and removes malicious applications that are using the MasterKey vulnerability, even when hackers just try to install them on the attacked device, so Dr.Web anti-virus's users are effectively protected from such Trojans.
Programs' installation packages for Android are files with the .APK extension, which are in fact common ZIP archives. Each application has a special digital signature as well as a list of checksums contained in the file archive, which, when installing the application, is used to check all objects extracted from the archive. If the check fails, the installation of the application is also failed.
ZIP file format, which is used on the base of the .APK file format, allows to lay out two different files with identical names in one subdirectory. With that, when installing the application, Android performs a checksum of the first file, while extracting from the archive and installing the second one.
Consequently, by using this feature of operating system's interpretation and processing of zip archives, cybercriminals can inject any malicious executable file to a program distribution without damaging the digital signature, so that this file is installed in the operating system without the user's knowledge.