Always in July 2013 the China-based group, known as Android Security Squad, uncovered a new Android master key vulnerability that allows similar exploitation of Android devices.

We come to the present day, recently Google presented Android 4.4 code named KitKat, the last version of the Google OS promise being more secure and it includes a patch for any Android Master Key vulnerability, but nothing is totally secure 😉

Security expert Jay Freeman, also known as Saurik for Cydia Software, has announced that also Android 4.4 is affected by the Master Key vulnerability and demonstrated the vulnerability with a proof of concept exploit written in Python.

“Now, last night, the source code for Android 4.4 was released to AOSP, which included a patch for yet another bug, #9950697, in the signature verification of Android application packages. This bug is somewhat weaker than the previous ones, but is still sufficient to support the general exploit techniques I have described . In this article, I describe this third bug and show how it can be used, providing both a proof-of-concept implementation in Python and a new version of Impactor that adds support for this signature bug.”

The Android Master Key Vulnerability is similar to the one reported by Android Security Squad in July, every application is signed by authors with their reported by Android Security Squad in July, every application is signed by authors with their private cryptographic keys

The Android’s package manager determines whether applications are allowed to share information, or what permissions they are able to obtain analyzing the certificates used to verify the author’s signature.