Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Threat of the month: Android master key vulnerability

What is it?

The Android master key vulnerability can be used to bypass signature verification to gain full system-level access to a device. 

How does it work?

The class of vulnerabilities allow attackers to take a legitimate app, change the contents of that app, and republish it on third-party marketplaces without changing the signature of the original application produced by the original vendor.

Should I be worried?

If you do not use third-party marketplaces, there is little need for concern. Google claims to be scanning for the vulnerability in apps from its Google Play store. However, if you use third-party marketplaces, then there is cause for concern. 

How can I prevent it?

Do not download apps from third-party marketplaces. Only install apps from Google Play. Additionally, as soon as your mobile device provider pushes an over-the-air update, install the update. The patch for the master key flaw has not yet been pushed out to any devices, as of the time of this writing [Aug. 7].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.