Master Key Vulnerability Patched By Google, OEMs Already Have The Fix

July 9, 2013 - Written By Leonardo Benveniste

We’ve heard a lot about malware in Android in the last few years, but never about one that affects almost every Android device out there, and that’s around 900 million devices. Bluebox Security claims to have discovered a vulnerability that does just that, and it can be found in every phone released in the last four years since Android 1.6, according to Bluebox Security CTO Jeff Forristal.

Google said that they already patched this and sent the code to the manufacturers for them to update their devices, so now the ball is in their court.

Every app has a cryptographic signature, identifying it and validating it as real. If a developer loses such key, they can’t update the app since it won’t install over the old one because the signatures don’t match. The vulnerability found, called Master Key vulnerability, allows ill-intentioned hackers to modify applications without changing the signature, so the app can be installed over old ones, even if they’re not created by the original developer.

Google patched this in the Play Store some time ago, so you’re safe to update and install apps from there. Gina Scigliano, Google’s Android Communications Manager said:

“We have not seen any evidence of exploitation in Google Play or other app stores via our security scanning tools. Google Play scans for this issue – and Verify Apps provides protection for Android users who download apps to their devices outside of Play.”

Scigliano also added that OEMs are already shipping the fix to their devices, so if your device has been updated lately, you’re probably safe.

Besides all these patches and fixes from Google and OEMs, you are the one who can help these kinds of malware to stop spreading or even existing. How? it’s very easy: don’t install any illegal apps or through shady app stores. If you don’t want to buy an app, then don’t use it, that’s how most of these malwares start. You try to download the APK and what you get is a modified app filled with malware. Also, it’s wrong to download illegal APKs so just don’t do it. At all. After all, this is people’s work we’re talking about. Please keep that in mind next time you think of ┬ásearching for the app instead of buying it.