Google confirms fix for 'master key' vulnerability released to OEMs

No evidence that exploit has actually been used, Google spokeswoman tells ZDNet

Last week it emerged that a security vulnerability affecting all current versions of Android could allow applications to be maliciously altered without affecting their cryptographic signatures. You might've heard it referred to as the Android "master key" vulnerability.

At the time it was reported that Samsung's Galaxy S4 had already been patched to address the issue, and now we have further information from Google on the company's response to the incident. According to ZDNet, Google spokeswoman Gina Scigliano said that the company had already released a fix for the bug to OEMs, and that some manufacturers like Samsung were already shipping the fix in devices.

Scigliano reiterated that Google had found no evidence that the vulnerability had actually been exploited in malware on Google Play or other app stores. As AC's Jerry Hildenbrand mentioned in his write-up of the issue last week, the bug, while potentially serious, is easy to avoid by sticking to official app stores and avoiding pirated apps.

Making sense of the latest Android 'master key' security scare

Source: ZDNet (opens in new tab)

Alex Dobie
Executive Editor

Alex was with Android Central for over a decade, producing written and video content for the site, and served as global Executive Editor from 2016 to 2022.

  • Is this going to be for all phones or only the newest?
  • Per OEMs priority, likely just on newer phones. If you have a phone from the last year or so, you will likely get this. There's just no point updating a phone from 2010 or 2011. Why update a phone a handful of people are using?
  • There are still a small ton of older phones out there I would hope that they would get the update. Posted via
  • There are several hundred android phones. The odds are not great that even 10% will get this update. Most people with the older phones aren't savvy enough to know how to sideload. I don't think this is as big a problem as many think. Stay away from sketchy sites and you're good.
  • I wonder how far the update/fix will go. I am sure phone from the last year or maybe two will get the update. What about older phones? Posted via
  • what about nexus devices?!!
  • I assume they will be among of the first to receive the fix.
  • I know Nexus owners are the minority, but how soon do you guys think we can expect this patch to hit Nexus phones Posted via Android Central App
  • Probably with Android 4.3 or 4.3.1
    Whenever Google decides to release it...
  • Very quickly, most likely before other phones. Posted via Android Central App
  • I think the gs4 has already been patched
  • The HTC One and Sony Xperia Z with 4.2.2 also have the fix.
  • They are not going to push the fix on its own. They will wait for a firmware update.
    But if you don't side load you don't have much to worry about. Posted via Android Central App
  • How does it work, though? If there was a dodgy app, when installing the APK, would it notify me it's replacing an app already installed on the phone, like an usual updates does, etc? Posted via Android Central App
  • If you use the play store the risk is low.
    The rouge app would install just like any other so yes the system should show this message. Posted via Android Central App
  • 90% of "rogues" on warcraft incorrectly spell it "rouge." French for red. Dam those red apps :p
  • Google have released the patch to OEMs, who have already started to push it out to devices, but they haven't pushed it out to their own yet. Seems a bit backwards to me that my galaxy S3 has been patched yet my Nexus 10 hasn't. You'd think Google would look after their own devices first, then give it to everyone else. Go figure!