Google patches up security hole that allows normal apps to be converted into malware, OEM’s pushing out fix soon


A company called Bluebox Security recently discovered a vulnerability in Android that’s existed since Android 1.6. It’s called the Master Key vulnerability and as the name suggests, allows for hackers and general evil doers to convert 99 percent of legit Android applications into trojans by effectively injecting malware into an app — all without tampering or changing their signatures. For those unaware, Android apps use “signatures” as a way to verify if an app has been tampered with.

According to Bluebox Security’s CTO, the vulnerability affects just about any Android device released in the last 4 years (since Donut). Going by those numbers that means over 900 million devices are potentially vulnerable to Master Key hijinks.

Apparently news of the malware is old news to Google who was quietly alerted back in February (even though we first learned of Master Key on Friday), and has already effectively patched the security hole, and released the fix to OEM’s. In fact, some manufacturers like Samsung are already pushing the update out to their Android devices and even custom ROMs like CyanogenMod are all over it. For carrier devices, all we can do now is play the waiting game while we wait for network operators to follow suit.

Before you rush off to wipe your Android device, listen up. According to a Google spokesperson, they haven’t found any evidence of infected apps making their way into the Play Store (or sideloaded onto devices) with Google’s security scanning software specifically scanning for the Master Key malware. Whew.

[via ZDNet]

Continue reading:

TAGS: Master Key

  • Jason

    I hope that with Key Lime Pie, we will see Google get better control over their operating system, and be able to send out security updates without the fear of breaking the crappy changes that the manufacturers have made.

  • squiddy20

    “While this information has just gone public today…”

    …We’ve known about this for almost a week. Your very own Kevin Krause wrote about it (poorly, I might add) on the 5th:

    • Chris Chavez

      What I meant was information of Google’s knowledge just went public today, not the malware itself (which Google’s actually known about for months now).

      • Alex Stansfield

        Bluebox’s press release from last week that you link to in your article says that Google was told in February.

  • thedicemaster

    I see no mention of the galaxy S4, but supposedly they didn’t have this problem to begin with.
    Samsung already included the fix in the software the devices where shipped with.

  • lolwut


  • MinkaKelly

    you don’t see this type of nonsence with apple. i’m switching back to iOS. l8er

  • Joshua

    pretty sad google cant do something like (sadly IOS) to do updates over wifi. If there is an update then get a prompt then boom it is updated after reboot. It would be simple