Android “master key” leaves 99% of devices vulnerable

The Bluebox Security research team – Bluebox Labs – recently discovered a vulnerability in Android’s security model that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.

Malware, adware and now a master key. The security trifecta.



  • http://www.EverydayDigitals.com/ James Gobert

    Ouch!

  • DanPierce

    Open always wins.

  • http://mangochut.net/ mangochutney

    How does a vulnerability like this even exist, let alone still exist in the current versions of Android?

    I don’t even…

  • dreyfus2

    Waiting for Katherine Noyes to explain how open is always more secure in 3, 2, …

  • J.A.C.K.

    Makes my job jus that more interesting. If I don’t have enough security issues to worry about..smh

  • http://www.johncblandii.com John C. Bland II

    Shameful situation. This is Google’s biggest problem with Android.

    • http://www.johncblandii.com John C. Bland II

      Seems to fall in the same category as the malware: http://feedly.com/k/16R5hMr. You have to enable unknown sources.

      • Sebastian Paul

        Being able to use unknown sources is one of the most important reasons to use Android for Android fanboys – being open, having freedom etc.blabla.

        You need to enable unknown source to use the Amazon Appstore and after Google has removed all the ad blockers from Google Play, you also need to enable it to sideload Adblock Plus or other ad blockers.

        Amazon is giving away free apps on a regular basis and is also one of the most well known brands in the world. Being able to install their Appstore only with unknown sources enabled will lead to many people having that setting enabled.

        While it was possible to always have been at war with Eastasia and allied with Eurasia and always have been at war with Eurasia and allied with Eastasia a minute later in “1984″ due to doublethink – this is not possible in the real life.

        You can’t say “Yay OPENNESS, yay sideloading!” and a minute later “Everybody who is installing from unknown sources is stupid”.

        • http://www.johncblandii.com John C. Bland II

          Valid point on Amazon but most normal Android users won’t use their store. They’ll just stick to Play, as most I know don’t even know Amazon’s exists on Android. But…as noted, fair point.

          Ad blockers? Fair point for those who use them.

          I’m assuming you’re lumping me into the “Android users” category when you say “You can’t say…”, right? If so, ok. If not, I never boast about side loading. I only do it solely for device testing my apps. Great feature but merely a checkbox in a feature column to me.

  • lucascott

    So this is why Android is better?

  • JDSoCal

    But but…open! LOL, fandroid losers.

  • initialsBB

    And what do those with devices that will never EVER be updated by the manufacturers do ?

  • MichaelPeiffert

    I’m a mobile game developer and while I desperately want Android users to play my games, those security weakness are scaring me.

  • Kriztyan

    I am happily dancing in my walled garden :)