A company called Bluebox Security recently discovered a vulnerability in Android that’s existed since Android 1.6. It’s called the Master Key vulnerability and as the name suggests, allows for hackers and general evil doers to convert 99 percent of legit Android applications into trojans by effectively injecting malware into an app — all without tampering or changing their signatures. For those unaware, Android apps use “signatures” as a way to verify if an app has been tampered with.
According to Bluebox Security’s CTO, the vulnerability affects just about any Android device released in the last 4 years (since Donut). Going by those numbers that means over 900 million devices are potentially vulnerable to Master Key hijinks.
Apparently news of the malware is old news to Google who was quietly alerted back in February (even though we first learned of Master Key on Friday), and has already effectively patched the security hole, and released the fix to OEM’s. In fact, some manufacturers like Samsung are already pushing the update out to their Android devices and even custom ROMs like CyanogenMod are all over it. For carrier devices, all we can do now is play the waiting game while we wait for network operators to follow suit.
Before you rush off to wipe your Android device, listen up. According to a Google spokesperson, they haven’t found any evidence of infected apps making their way into the Play Store (or sideloaded onto devices) with Google’s security scanning software specifically scanning for the Master Key malware. Whew.