Google patches 'Master Key' Android flaw, ships code to OEMs

Jos

Posts: 3,073   +97

Google has moved to patch a four-year-old security hole in Android that could potentially leave any device released in this time frame vulnerable to attacks. The flaw in question was disclosed by Bluebox Security last week and centered on the ability to change an app’s code without affecting its cryptographic signature, essentially allowing hackers to turn any legitimate app into malware and still be verified as authentic software.

Bluebox Security CTO Jeff Forristal had said that this vulnerability has been around since Android 1.6 and thus was present in nearly 900 million devices. That’s a scary scenario, but of course the risk of infection is significantly lower considering most people download apps from the official store preloaded on their phones.

In a statement to ZDNet, Gina Scigliano, Google's Android Communications Manager also downplays the flaw’s reach while confirming a patch has been sent out to partners. Android users will need to rely on their device’s manufacturer for an update, some of whom, like Samsung, are reportedly already shipping them out.

Scigliano was also quick to point out that apps submitted to Google Play are scanned for any evidence of exploitation and so far they’ve found nothing to worry about. Even if you download from third party sources, Android’s ‘Verify Apps’ feature found in version 4.2 Jelly Bean also has you covered. Those with older devices should exercise caution (and common sense) when downloading from unknown or unreliable sources.

Permalink to story.

 
It took them 4 years to fix an issue that has costed millions of people their phones. Good job google.
 
Where does one get "google" signed apps if not from the play store tho? It's not as big a deal as they make out. If play store is compromised that is different.

Anyone installing apps that are "Google" signed not from the play store only have themselves to blame.
 
Back