Google Patches The Android “Master Key Vulnerability”

Posted Jul 9, 2013

has created a patch that has fixed the four-year security hole that is in the Android operating system.  This issue is known as the “Master Key vulnerability.”  The vulnerability put smartphone and tablet users at risk of non-Play store applications that have malware in them.  Handsets will receive the patch as the manufacturers push them out.  This issue dates back to Android 1.6 in the fall of 2009.

The vulnerability was discovered by Bluebox Security.  The vulnerability affects how Android apps are verified and installed.  The exploited apps allowed hackers to modify software without changing around software encryption.

When the exploit was first discovered, it was announced that this issue potentially could affect 900 million devices.    In reality, The chances of it affecting even a small number of devices would be surprising.  Bluebox warned Google about the flaw and an initial fix was developed for apps in the Google Play Store.

Now the only way to get infected is by installing an application by transferring an APK that is not downloaded from the Google Play store to a phone and then installing it manually.  Most Android users do not do this.  But that has been patched anyway too.

In a statement to ZDNet, Google’s Android Communications Manager Gina Scigliano said that she can “confirm that a patch has been provided to our partners. Some OEMs, like Samsung, are already shipping the fix to the Android devices.”