Code and everything that goes with it for the “master key” vulnerability in Android is out in the public, so that means the bad guys are busy working on new exploits.
So far there have been a few sightings on some applications on Google Play that exploit the vulnerability, said researchers at Bitdefender. The apps are Rose Wedding Cake Game and Pirates Island Mahjong Free, both updated in mid-May.
However, in this case, the bug is not malicious.
“The applications contain two duplicate PNG files which are part of the game’s interface. This means that the applications are not running malicious code – they are merely exposing the Android bug to overwrite an image file in the package, most likely by mistake,” said Bitdefender’s Bogdan Botezatu.
“In contrast, malicious exploitation of this flaw focuses on replacing application code,” he said.
While the apps are not malicious, the discovery does show applications leveraging the cryptographic signature vulnerability don’t raise any red flags when published on Google Play.
Google has already addressed the vulnerability and OEMs are working on it. However, because of Android’s fragmentation, it will take some time until the patch reaches end-users.
That’s why Android device owners should consider the alternatives. For instance, CyanogenMod users already have protection against the exploit.
Duo Security released an app called ReKey designed to address the vulnerability on rooted devices. In addition, Bitdefender and other security solutions providers have updated their mobile products for Android to make sure they detect applications that abuse the master key flaw.