Threat of the month: Android master key vulnerability

Share this article:
Threat of the month: Android master key vulnerability
Threat of the month: Android master key vulnerability

What is it?

The Android master key vulnerability can be used to bypass signature verification to gain full system-level access to a device. 

How does it work?

The class of vulnerabilities allow attackers to take a legitimate app, change the contents of that app, and republish it on third-party marketplaces without changing the signature of the original application produced by the original vendor.

Should I be worried?

If you do not use third-party marketplaces, there is little need for concern. Google claims to be scanning for the vulnerability in apps from its Google Play store. However, if you use third-party marketplaces, then there is cause for concern. 

How can I prevent it?

Do not download apps from third-party marketplaces. Only install apps from Google Play. Additionally, as soon as your mobile device provider pushes an over-the-air update, install the update. The patch for the master key flaw has not yet been pushed out to any devices, as of the time of this writing [Aug. 7].

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Threat of the Month

Sign up to our newsletters

TOP COMMENTS

More in Threat of the Month

Threat of the month: Passwords

Threat of the month: Passwords

The argument around the use of passwords and their relevancy today continues to increase.

Threat of the month: Network deperimeterization

Threat of the month: Network deperimeterization

Security professionals should be aware of network deperimeterization, which decreases the usefulness of network edge security devices and increases the potential for device infection and data loss.

Threat of the month: Drive-by download

Threat of the month: Drive-by download

The pervasiveness of drive-by downloads has made it our threat of the month for May.