No evidence that exploit has actually been used, Google spokeswoman tells ZDNet

Last week it emerged that a security vulnerability affecting all current versions of Android could allow applications to be maliciously altered without affecting their cryptographic signatures. You might've heard it referred to as the Android "master key" vulnerability.

At the time it was reported that Samsung's Galaxy S4 had already been patched to address the issue, and now we have further information from Google on the company's response to the incident. According to ZDNet, Google spokeswoman Gina Scigliano said that the company had already released a fix for the bug to OEMs, and that some manufacturers like Samsung were already shipping the fix in devices.

Scigliano reiterated that Google had found no evidence that the vulnerability had actually been exploited in malware on Google Play or other app stores. As AC's Jerry Hildenbrand mentioned in his write-up of the issue last week, the bug, while potentially serious, is easy to avoid by sticking to official app stores and avoiding pirated apps.

More: Making sense of the latest Android 'master key' security scare

Source: ZDNet

There are 17 comments

silverfang77 says:

Is this going to be for all phones or only the newest?

ExtremeNerd says:

Per OEMs priority, likely just on newer phones. If you have a phone from the last year or so, you will likely get this. There's just no point updating a phone from 2010 or 2011. Why update a phone a handful of people are using?

NoNexus says:

There are still a small ton of older phones out there I would hope that they would get the update.

Posted via

ExtremeNerd says:

There are several hundred android phones. The odds are not great that even 10% will get this update. Most people with the older phones aren't savvy enough to know how to sideload. I don't think this is as big a problem as many think. Stay away from sketchy sites and you're good.

NoNexus says:

I wonder how far the update/fix will go. I am sure phone from the last year or maybe two will get the update. What about older phones?

Posted via

what about nexus devices?!!

I assume they will be among of the first to receive the fix.

DaEXfactoR says:

I know Nexus owners are the minority, but how soon do you guys think we can expect this patch to hit Nexus phones

Posted via Android Central App

getaceres says:

Probably with Android 4.3 or 4.3.1
Whenever Google decides to release it...

return_0 says:

Very quickly, most likely before other phones.

Posted via Android Central App

3165dwayne says:

I think the gs4 has already been patched

DerekMorr says:

The HTC One and Sony Xperia Z with 4.2.2 also have the fix.

They are not going to push the fix on its own. They will wait for a firmware update.
But if you don't side load you don't have much to worry about.

Posted via Android Central App

sher9501 says:

How does it work, though? If there was a dodgy app, when installing the APK, would it notify me it's replacing an app already installed on the phone, like an usual updates does, etc?

Posted via Android Central App

If you use the play store the risk is low.
The rouge app would install just like any other so yes the system should show this message.

Posted via Android Central App

90% of "rogues" on warcraft incorrectly spell it "rouge." French for red.

Dam those red apps :p

Ben Linford says:

Google have released the patch to OEMs, who have already started to push it out to devices, but they haven't pushed it out to their own yet.

Seems a bit backwards to me that my galaxy S3 has been patched yet my Nexus 10 hasn't. You'd think Google would look after their own devices first, then give it to everyone else.

Go figure!