Google patches 'Master Key' Android flaw, ships code to OEMs

By on July 9, 2013, 10:15 AM
google, android, malware, security, master key

Google has moved to patch a four-year-old security hole in Android that could potentially leave any device released in this time frame vulnerable to attacks. The flaw in question was disclosed by Bluebox Security last week and centered on the ability to change an app’s code without affecting its cryptographic signature, essentially allowing hackers to turn any legitimate app into malware and still be verified as authentic software.

Bluebox Security CTO Jeff Forristal had said that this vulnerability has been around since Android 1.6 and thus was present in nearly 900 million devices. That’s a scary scenario, but of course the risk of infection is significantly lower considering most people download apps from the official store preloaded on their phones.

In a statement to ZDNet, Gina Scigliano, Google's Android Communications Manager also downplays the flaw’s reach while confirming a patch has been sent out to partners. Android users will need to rely on their device’s manufacturer for an update, some of whom, like Samsung, are reportedly already shipping them out.

Scigliano was also quick to point out that apps submitted to Google Play are scanned for any evidence of exploitation and so far they’ve found nothing to worry about. Even if you download from third party sources, Android’s ‘Verify Apps’ feature found in version 4.2 Jelly Bean also has you covered. Those with older devices should exercise caution (and common sense) when downloading from unknown or unreliable sources.




User Comments: 3

Got something to say? Post a comment
JC713 JC713 said:

It took them 4 years to fix an issue that has costed millions of people their phones. Good job google.

2 people like this | Darth Shiv Darth Shiv said:

Where does one get "google" signed apps if not from the play store tho? It's not as big a deal as they make out. If play store is compromised that is different.

Anyone installing apps that are "Google" signed not from the play store only have themselves to blame.

1 person liked this | Guest said:

No, it didn't take them 4 years, the bug was discovered just last month

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.