What is it?
The Android master key vulnerability can be used to bypass signature verification to gain full system-level access to a device.
How does it work?
The class of vulnerabilities allow attackers to take a legitimate app, change the contents of that app, and republish it on third-party marketplaces without changing the signature of the original application produced by the original vendor.
Should I be worried?
If you do not use third-party marketplaces, there is little need for concern. Google claims to be scanning for the vulnerability in apps from its Google Play store. However, if you use third-party marketplaces, then there is cause for concern.
How can I prevent it?
Do not download apps from third-party marketplaces. Only install apps from Google Play. Additionally, as soon as your mobile device provider pushes an over-the-air update, install the update. The patch for the master key flaw has not yet been pushed out to any devices, as of the time of this writing [Aug. 7].
