No evidence that exploit has actually been used, Google spokeswoman tells ZDNet

Last week it emerged that a security vulnerability affecting all current versions of Android could allow applications to be maliciously altered without affecting their cryptographic signatures. You might've heard it referred to as the Android "master key" vulnerability.

At the time it was reported that Samsung's Galaxy S4 had already been patched to address the issue, and now we have further information from Google on the company's response to the incident. According to ZDNet, Google spokeswoman Gina Scigliano said that the company had already released a fix for the bug to OEMs, and that some manufacturers like Samsung were already shipping the fix in devices.

Scigliano reiterated that Google had found no evidence that the vulnerability had actually been exploited in malware on Google Play or other app stores. As AC's Jerry Hildenbrand mentioned in his write-up of the issue last week, the bug, while potentially serious, is easy to avoid by sticking to official app stores and avoiding pirated apps.

More: Making sense of the latest Android 'master key' security scare

Source: ZDNet


Reader comments

Google confirms fix for 'master key' vulnerability released to OEMs


Per OEMs priority, likely just on newer phones. If you have a phone from the last year or so, you will likely get this. There's just no point updating a phone from 2010 or 2011. Why update a phone a handful of people are using?

There are still a small ton of older phones out there I would hope that they would get the update.

Posted via

There are several hundred android phones. The odds are not great that even 10% will get this update. Most people with the older phones aren't savvy enough to know how to sideload. I don't think this is as big a problem as many think. Stay away from sketchy sites and you're good.

I wonder how far the update/fix will go. I am sure phone from the last year or maybe two will get the update. What about older phones?

Posted via

I know Nexus owners are the minority, but how soon do you guys think we can expect this patch to hit Nexus phones

Posted via Android Central App

They are not going to push the fix on its own. They will wait for a firmware update.
But if you don't side load you don't have much to worry about.

Posted via Android Central App

How does it work, though? If there was a dodgy app, when installing the APK, would it notify me it's replacing an app already installed on the phone, like an usual updates does, etc?

Posted via Android Central App

If you use the play store the risk is low.
The rouge app would install just like any other so yes the system should show this message.

Posted via Android Central App

Google have released the patch to OEMs, who have already started to push it out to devices, but they haven't pushed it out to their own yet.

Seems a bit backwards to me that my galaxy S3 has been patched yet my Nexus 10 hasn't. You'd think Google would look after their own devices first, then give it to everyone else.

Go figure!