Google has announced that the company
has developed a patch for Android Master Key bug that was discovered last week. The patch has been sent to Android device manufacturers that will be distributed to users shortly.
The vulnerability was identified by Bluebox security called Master Key that allows editing the APK files without altering the application signature. In this way, the vulnerability could allow to send infected packers, and once they are installed, they could take control of the device through malware. The security flaw had been present since 2009 when Android 1.6 Donut was released, and now 99% of the devices are potentially at risk.
In fact, users are still at risk because it would be a challenge for the manufacturers to update tablets and smartphones that are available for over three years. Quite possibly, it may never happen, and the only alternative is the installation of an unofficial ROM (if model supports), but this requires the necessary skills to perform the operation.
Some security researchers have described how the exploit works. Many applications are distributed in APK format, JAR or ZIP. Android scans these files for any malware before installation. The problem lies in the order in which the operating system detects the presence of the digital signature. It is sufficient to insert a modified file in the archive before the original to fool the security system. Android sees the unmodified file with a valid signature and allows the installation of the infected file.
could be carried out only if the user installs an unverified app, as Google Play Store integrates a scanner that detects and prevents downloading infected applications. Samsung has already released a patch for the Galaxy S4. Soon, other OEM partners will also start pushing this fix.