Threat of the month: Android master key vulnerability

Share this article:
Threat of the month: Android master key vulnerability
Threat of the month: Android master key vulnerability

What is it?

The Android master key vulnerability can be used to bypass signature verification to gain full system-level access to a device. 

How does it work?

The class of vulnerabilities allow attackers to take a legitimate app, change the contents of that app, and republish it on third-party marketplaces without changing the signature of the original application produced by the original vendor.

Should I be worried?

If you do not use third-party marketplaces, there is little need for concern. Google claims to be scanning for the vulnerability in apps from its Google Play store. However, if you use third-party marketplaces, then there is cause for concern. 

How can I prevent it?

Do not download apps from third-party marketplaces. Only install apps from Google Play. Additionally, as soon as your mobile device provider pushes an over-the-air update, install the update. The patch for the master key flaw has not yet been pushed out to any devices, as of the time of this writing [Aug. 7].

Share this article:
close

Next Article in Threat of the Month

Sign up to our newsletters

More in Threat of the Month

Threat of the month: Linksys router zero-day

Threat of the month: Linksys router zero-day

This month's vulnerability is currently being exploited by a worm known as "TheMoon."

Threat of the month: Java vulnerabilities

Threat of the month: Java vulnerabilities

For March's threat of the month, Secunia's Kasper Lindgaard believes Java vulnerabilities should be at the top of everyone's radar.

Threat of the month: Government agencies

Threat of the month: Government agencies

The continued leak of classified government intelligence documents by Edward Snowden draws into question the balance of offensive and defensive capabilities of governments.