Google patches up security hole that allows normal apps to be converted into malware, OEM’s pushing out fix soon



A company called Bluebox Security recently discovered a vulnerability in Android that’s existed since Android 1.6. It’s called the Master Key vulnerability and as the name suggests, allows for hackers and general evil doers to convert 99 percent of legit Android applications into trojans by effectively injecting malware into an app — all without tampering or changing their signatures. For those unaware, Android apps use “signatures” as a way to verify if an app has been tampered with.

According to Bluebox Security’s CTO, the vulnerability affects just about any Android device released in the last 4 years (since Donut). Going by those numbers that means over 900 million devices are potentially vulnerable to Master Key hijinks.

Apparently news of the malware is old news to Google who was quietly alerted back in February (even though we first learned of Master Key on Friday), and has already effectively patched the security hole, and released the fix to OEM’s. In fact, some manufacturers like Samsung are already pushing the update out to their Android devices and even custom ROMs like CyanogenMod are all over it. For carrier devices, all we can do now is play the waiting game while we wait for network operators to follow suit.

Before you rush off to wipe your Android device, listen up. According to a Google spokesperson, they haven’t found any evidence of infected apps making their way into the Play Store (or sideloaded onto devices) with Google’s security scanning software specifically scanning for the Master Key malware. Whew.

[via ZDNet]

Chris Chavez
I've been obsessed with consumer technology for about as long as I can remember, be it video games, photography, or mobile devices. If you can plug it in, I have to own it. Preparing for the day when Android finally becomes self-aware and I get to welcome our new robot overlords.

Android firmware numbers for June: Jelly Bean on almost 38% of active devices, finally overtakes Gingerbread

Previous article

Taylor Swift ports Android 4.3 “Google Play edition” to Sony Xperia Z — No, really

Next article

You may also like


  1. I hope that with Key Lime Pie, we will see Google get better control over their operating system, and be able to send out security updates without the fear of breaking the crappy changes that the manufacturers have made.

  2. “While this information has just gone public today…”

    …We’ve known about this for almost a week. Your very own Kevin Krause wrote about it (poorly, I might add) on the 5th: http://phandroid.com/2013/07/05/security-hole-affects-99-percent-of-android-users/

    1. What I meant was information of Google’s knowledge just went public today, not the malware itself (which Google’s actually known about for months now).

      1. Bluebox’s press release from last week that you link to in your article says that Google was told in February.

  3. I see no mention of the galaxy S4, but supposedly they didn’t have this problem to begin with.
    Samsung already included the fix in the software the devices where shipped with.

  4. “soon”

  5. you don’t see this type of nonsence with apple. i’m switching back to iOS. l8er

  6. pretty sad google cant do something like (sadly IOS) to do updates over wifi. If there is an update then get a prompt then boom it is updated after reboot. It would be simple

Leave a reply

Your email address will not be published. Required fields are marked *