The Android master key vulnerability has been in existence since the Donut version of Android. This means over 99 percent of Android phones in existence are vulnerable to malicious codes from replicas of legitimate applications. However, a temporary solution has emerged where Google has taken the initiative to keep infected apps away from the app store.

Android master key bug

The Master Key bug is a vulnerability that allows attackers to infuse an existing app with malicious codes before sending it out to unsuspecting consumers, in such a way that the app behaves in the same way as the original. Researchers have found that the reason for such attacks could be the way in which the cryptographic signatures in android applications are being verified. The attackers were able to make modifications to the app without tampering with the cryptographic signature.

As a result, a good number of legitimate applications could be modified and infected with malicious code to steal passwords as well as other data from the users. Since the digital signatures belonging to an infected app and a legitimate app would remain the same, the consumers would not be able to identify the hidden threat within the app.

Google takes the initiative

In a bid to thwart any further malicious attacks on android users, Google has updated their Google Play account with security checks that block any apps that make use of this exploit. As a result, consumers can be sure of being safe as long as they install apps only from Google Play. Third party downloads including apps from Amazon and Samsung pose a threat to consumers. Google has recommended android users to stay away from any third party app stores until the master key bug vulnerability has been fixed.

What can you do as a consumer?

The most important thing you can do as a consumer is look at the origin of the app. This is something that the attackers haven’t been able to mask. As a result, even if a malicious Trojan app manages to remain on Google Play despite all the security blocks, the app will not be listed in the original app owner’s account. This means, if an attacker trojanizes Angry Birds using the Master Key bug, the app will definitely not be listed under Rovio’s official Google Play account. So it would be great to take a look at the developer’s identity before downloading an app from any app store.

You can even turn off third party installations on your phone. This can be easily done by modifying your phone’s security settings to not allow installations from unknown sources. If you are using the Jelly Bean version of Android, you may be safe to a certain extent. This is because Jelly Bean has an inbuilt app scanner that scans every app downloaded from third party sources. As a result, even if you happen to install an infected app by mistake, your phone is capable of blocking the application from causing any harm. In addition to this, you can also install any one of the many security applications from Google Play that can detect suspicious code in apps.

What is being done about it?

The Master Key vulnerability has not been exploited at a large scale. That does not mean the threat doesn’t continue to persist. Mobile manufacturers are now looking at all round security solutions to their handsets. This would mean that a security module that would take care of everything from identity theft to malware protection as well as theft alert will be integrated into one system. The Master Key threat was detected in February 2013. Google immediately responded with a patch to its Open Handset Alliance. Other manufacturers have been a bit sluggish in this regard but they too are releasing firmware updates to fix this issue. However, it would take some more time before everybody has access to the patches.

Bluebox Security has been leading the race to find vulnerabilities in the Android OS. In fact they were the first to report the Master Key vulnerability. Rumors suggest that more such threats are likely to be revealed soon during the Black Hat conference that is all set to take place in Las Vegas during the month end. The Master Key vulnerability even though not fully exploited is a very serious threat that can cause serious damage by stealing your personal information. It would be best to install a firmware update as soon as you receive it.